Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction Help

moinyuso96
Path Finder
‎05-16-2021 08:16 PM

Description                     

Recorded value for [Turn On Test 123]

Recorded value for [Turn On Test 456]

Execute all Appliances

In process to Execute

 

I would like to create another field name "Status" whereby it only extract "Turn On" for "Recorded value for [Turn On Test xxx]" and "Execute" for "Execute all Appliances" & "In process to Execute"

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2021 12:51 AM

Hi @moinyuso96,

as I said, the problem is that to correctly extract the status I need to know the format or the values of the status field.

If the values fo the status are defined and in a limitated number you can put these values in the regex, e.g. if the possible values are only "Tun On", "Turn Off" and "Execute", you could use them in the regex:

| rex "\[(?<status>Turn On|Turn Off|Execute)"

as you can see in https://regex101.com/r/VAPtVU/2

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-16-2021 10:55 PM

Hi @moinyuso96,

the extraction of a field in logs ad the ones you shared is easy, only one question: the status is always a dondition of two words (e.g. Turn on, Turn off, etc...) or not?

The possible statuses are fixed (e.g. only "Turn on" and Turn off"?

I ask this to exactly define the content of the status ield.

So if the status is always composed by two words, try this:

| rex "\[(?<status>\w+\s\w+)"

that you can test at https://regex101.com/r/VAPtVU/1

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

moinyuso96
Path Finder
‎05-17-2021 12:44 AM

The status is not necessarily Turn On, I will also need to extract the word "Execute" where the location of the word is not the same for the case of "Execute All Appliances" and "In process to Execute".

 

I am actually looking if there is anyway I can extract those words regardless of the location in the sentence.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2021 12:51 AM

Hi @moinyuso96,

as I said, the problem is that to correctly extract the status I need to know the format or the values of the status field.

If the values fo the status are defined and in a limitated number you can put these values in the regex, e.g. if the possible values are only "Tun On", "Turn Off" and "Execute", you could use them in the regex:

| rex "\[(?<status>Turn On|Turn Off|Execute)"

as you can see in https://regex101.com/r/VAPtVU/2

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2021 05:30 AM

Hi @moinyuso96,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...