Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I perform a field extraction and display it as a table that contains all the values from my search?

senthamilselvan
Engager
‎02-01-2018 12:25 PM

Hi Team,

Please find the below log sample. I want to extract from the line "program" till the end and display as a table which contains all the values as shown in the output..

REPLICATION LAG

Oracle GoldenGate Command Interpreter for DB2 Version 12.1.2.1.5 20635622 OGGCORE_12.1.2.1.0OGGBP_PLATFORMS_150320.0454
AIX 6, ppc, 64bit (optimized), DB2 10.5 on Apr 23 2015 00:58:12 Operating system character set identified as ISO-8859-1.

Copyright (C) 1995, 2015, Oracle and/or its affiliates. All rights reserved.

GGSCI (nc006qad02) 1> info all

Program     Status      Group       LagatChkpt  TimeSinceChkpt
MANAGER     RUNNING                                           
JAGENT      RUNNING                                           
REPLICAT    RUNNING     REPHG       00:00:00      00:00:05    
REPLICAT    RUNNING     REPRA       00:00:00      00:00:07    
REPLICAT    RUNNING     REPSD       00:00:00      00:00:00    
REPLICAT    STOPPED     RILAA       00:00:00      3489:18:54  
REPLICAT    STOPPED     RILQQ       00:00:00      3166:32:14  
REPLICAT    STOPPED     RILRA       00:00:00      3489:18:44  
REPLICAT    STOPPED     RILRH       00:00:00      3489:18:01  
REPLICAT    STOPPED     RILTT       00:00:00      3489:18:36  
REPLICAT    RUNNING     RPLXQ       00:00:00      00:00:04    
REPLICAT    ABENDED     RRAHG       2125:39:25    01:13:05    

output table will be: and the first line will be header of the table.

Program     Status      Group       LagatChkpt  TimeSinceChkpt
MANAGER     RUNNING                                           
JAGENT      RUNNING                                           
REPLICAT    RUNNING     REPHG       00:00:00      00:00:05    
REPLICAT    RUNNING     REPRA       00:00:00      00:00:07    
REPLICAT    RUNNING     REPSD       00:00:00      00:00:00    
REPLICAT    STOPPED     RILAA       00:00:00      3489:18:54  
REPLICAT    STOPPED     RILQQ       00:00:00      3166:32:14  
REPLICAT    STOPPED     RILRA       00:00:00      3489:18:44  
REPLICAT    STOPPED     RILRH       00:00:00      3489:18:01  
REPLICAT    STOPPED     RILTT       00:00:00      3489:18:36  
REPLICAT    RUNNING     RPLXQ       00:00:00      00:00:04    
REPLICAT    ABENDED     RRAHG       2125:39:25    01:13:05
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-02-2018 05:51 AM

If you can treat all of the lines as a single event then the multikv command should help.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

somesoni2
Revered Legend
‎02-01-2018 01:15 PM

Does all those lines part of single event?

0 Karma
Reply

senthamilselvan
Engager
‎02-01-2018 11:38 PM

we can consider as single event or we can break into multiple as well. Because that is sample file am going to index

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...