Splunk Search

Having trouble with field extractor on 7.0

Communicator

I have ton a couple of events like this:

Mime.stuff.1 = 10
Mime.pop = "blabla"

Basically I want to create a field "MimeProperty" and the require is to begin with a "Mime.". I'm having trouble working with the extractor as I don't fully understand it. Can anyone point me in the right direction ? Thanks in advance

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this :

index=your_index | rex field=_raw "Mime.*\=\s(|\")(?P<MimeProperty>[^\s|\"]+)"

Let me know if it helps!!

If you get improper output then pls provide some sample events. like there is a confusion of space after "="
in every event.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try this :

index=your_index | rex field=_raw "Mime.*\=\s(|\")(?P<MimeProperty>[^\s|\"]+)"

Let me know if it helps!!

If you get improper output then pls provide some sample events. like there is a confusion of space after "="
in every event.

View solution in original post

0 Karma

Communicator

@mayurr98 Nice it works plenty! Post as an answer for me to mark it as correct

0 Karma

SplunkTrust
SplunkTrust

You are welcome,
i have converted Please accept!

0 Karma

SplunkTrust
SplunkTrust

can you please elaborate on more sample events?
also what do you want to extract? 10 and blabla?

0 Karma

Communicator

Those would be the values yes. I wan't every field that's starts off with Mime

0 Karma