Splunk Search

Field extraction Help

moinyuso96
Path Finder

Description                     

Recorded value for [Turn On Test 123]

Recorded value for [Turn On Test 456]

Execute all Appliances

In process to Execute

 

I would like to create another field name "Status" whereby it only extract "Turn On" for "Recorded value for [Turn On Test xxx]" and "Execute" for "Execute all Appliances" & "In process to Execute"

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @moinyuso96,

as I said, the problem is that to correctly extract the status I need to know the format or the values of the status field.

If the values fo the status are defined and in a limitated number you can put these values in the regex, e.g. if the possible values are only "Tun On", "Turn Off" and "Execute", you could use them in the regex:

| rex "\[(?<status>Turn On|Turn Off|Execute)"

as you can see in https://regex101.com/r/VAPtVU/2

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @moinyuso96,

the extraction of a field in logs ad the ones you shared is easy, only one question: the status is always a dondition of two words (e.g. Turn on, Turn off, etc...) or not?

The possible statuses are fixed (e.g. only "Turn on" and Turn off"?

I ask this to exactly define the content of the status ield.

So if the status is always composed by two words, try this:

| rex "\[(?<status>\w+\s\w+)"

that you can test at https://regex101.com/r/VAPtVU/1

Ciao.

Giuseppe

0 Karma

moinyuso96
Path Finder

The status is not necessarily Turn On, I will also need to extract the word "Execute" where the location of the word is not the same for the case of "Execute All Appliances" and "In process to Execute".

 

I am actually looking if there is anyway I can extract those words regardless of the location in the sentence.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @moinyuso96,

as I said, the problem is that to correctly extract the status I need to know the format or the values of the status field.

If the values fo the status are defined and in a limitated number you can put these values in the regex, e.g. if the possible values are only "Tun On", "Turn Off" and "Execute", you could use them in the regex:

| rex "\[(?<status>Turn On|Turn Off|Execute)"

as you can see in https://regex101.com/r/VAPtVU/2

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @moinyuso96,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...