Splunk Search

Filed extraction

moinoddinyadgir
Loves-to-Learn

Hi Community,

I have a question about regex and extraction

I have _raw data in 2 rows/lines  (key and value) and I have to extract filed with key and value

e.g : 
row 1 : Test1 Test2 Test3 Test4 Test5 Test6 Test7 Test8 Test9 Test10
row 2:  101    102     103.    104.     105.   106.   107.   108.   109.    110     

I have to extract only Test7 from above log and have print it's value in table 

Pls help me 

Regards,
Moin

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

If your data is always in the same order, as others already suggested, it's just matter of setting up either regex-based or delimiter-based extraction to find a value in given position.

But if the problem lies in the fact that column order can change (and is always determined by a header row in a file), only INDEXED_EXTRACTIONS can help because Splunk processes each event separately so it has no way of knowing which "format" particular row belongs go if different files had different header rows.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Do you mean to say that each event contains a row of headers and another row of values like the following?

Test1 Test2 Test3 Test4 Test5 Test6 Test7 Test8 Test9 Test
10 101 102 103. 104. 105. 106. 107. 108. 109. 110

The easiest is like @gcusello suggested, create a form to match this format, then use kvform.

No matter which method you use, you have to answer one question: What is the delimiter?  Obviously there is no comma.  But it is totally unclear whether the delimiter would be one space character, one tab character, or any number of white space characters can be interpreted as one delimiter.  Suitable solution can be different when delimiter is different.

Here I illustrate a solution without using kvform that works with any number of white spaces between fields.

 

| rex mode=sed "s/\n/::/ s/\s+/,/g s/::/
/"
| multikv

 

Your sample data will give you

Test1Test10Test2Test3Test4Test5Test6Test7Test8Test9
101110102103.104.105.106.107.108.109.

As I said, this is just one possible solution, and is most suitable if the number of white spaces (and even type of white spaces) between fields cannot be predetermined AND that field names and values do not contain any white space.

Here is an emulation that you can play with and compare with real data

 

| makeresults
| eval _raw = "Test1 Test2 Test3 Test4 Test5 Test6 Test7 Test8 Test9 Test10
101    102     103.    104.     105.   106.   107.   108.   109.    110"
``` data emulation above ```

 

Tags (1)
0 Karma

deepakc
Builder

This is an example using makeresults and rex

| makeresults
| eval _raw="Test1=101,Test2=102,Test3=103,Test4=104,Test5=105,Test6=106,Test7=107,Test8=108,Test9=109,Test101=110"
| makemv _raw delim=","
| rex field=_raw "(?<field>Test7)=(?<value>\d+)"
| table field value
0 Karma

moinoddinyadgir
Loves-to-Learn

@deepakc 
Thank you for reply.

_raw data is not static it going to change every minute.
could u pls let know how to use "eval" for data which going to be changed.

0 Karma

gcusello
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...