Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Get Pattern or punct at search time for one specific field

AnilPujar
Path Finder
‎02-10-2022 04:36 AM

Does Splunk have any spl command like punct?

The default punct field will get patterns on the _raw field.

Is there any command where I can use to get the similar pattern on the custom field instead of _raw?

Example:

description="User: ABC Project: XYZ Company Name: JKLM Short Description: Project is so and so"
description="User: ABC Company Name: JKLM Project: XYZ Employee Level: 7 Short Description: Project is so and so User Designation: Splunk Consultant"

description="User: ABC Project: Jkl Company Name: JKLM Short Description: Project: Automation"
so on..


I cannot use extract command, because sub fields which i want to extract is not in order and key as 2/3/4/5 words.

the only key value delim I can see is colon : and also some times user might feed : in certain sub fields.

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-10-2022 05:16 AM

Your issue is not to do with punctuation, it is more to do with using the field names within the field text, e.g. Project:

If you know the field names you want to extract, you could do something like this

| makeresults 
| eval _raw="description=\"User: ABC Project: XYZ Company Name: JKLM Short Description: Project is so and so\"
description=\"User: ABC Company Name: JKLM Project: XYZ Employee Level: 7 Short Description: Project is so and so User Designation: Splunk Consultant\"
description=\"User: ABC Project: Jkl Company Name: JKLM Short Description: Project: Automation\""
| multikv noheader=t
| fields _raw
| fields - _time
| eval raw=_raw
| rex mode=sed field=raw "s/User: /_User_: /g"
| rex mode=sed field=raw "s/Project: /_Project_: /g"
| rex mode=sed field=raw "s/Company Name: /_Company Name_: /g"
| rex mode=sed field=raw "s/Employee Level: /_Employee Level_: /g"
| rex mode=sed field=raw "s/Short Description: /_Short Description_: /g"
| rex mode=sed field=raw "s/User Designation: /_User Designation_: /g"
| rex mode=sed field=raw "s/_(?<first>[^_]+)_: _(?<second>[^_]+)_/_\\1_: \\2/g"
| rex max_match=0 field=raw "_(?<namevalue>[^_]+_: [^_]+)"
| mvexpand namevalue
| rex field=namevalue "(?<name>[^_]+)_: (?<value>[^\"]*)"
| eval {name}=trim(value)
| fields - name namevalue value raw
| stats values(*) as * by _raw

Note that where Project: was used at the beginning of the field, this was corrected by assuming every field had something in and that if a known field name was at the start of the field, it could be reverted back to just text and not a field name to extract. Also, there is an assumption the underscores aren't used in the text. If they are, then use something else (that isn't in the text) as a delimiter for the field names.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...