Solved: How do I display a table with the fields extracted...

gvssaicharan · ‎04-17-2020

I built a regular expression to extract fields from a log file. However, after extracting I am not able to display the extracted fields in table format. The regular expression seems to be working online. https://regex101.com/r/ZcYOhG/2

I want to display the extracted fields in a table format. Can someone help me?

mayurr98 · ‎04-17-2020

try this:

index=<your_index>
| rex field=_raw "transactionId=(?<transactionId>[^\}]+)\}.*ResourceId\:\s(?<featureName>[^\,]+),.*CPNYID_(?<companyId>\d+)_AID_(?<aPaymentId>\d+)" 
| stats count by aPaymentId companyId featureName transactionId

View solution in original post

mayurr98 · ‎04-17-2020

try this:

index=<your_index>
| rex field=_raw "transactionId=(?<transactionId>[^\}]+)\}.*ResourceId\:\s(?<featureName>[^\,]+),.*CPNYID_(?<companyId>\d+)_AID_(?<aPaymentId>\d+)" 
| stats count by aPaymentId companyId featureName transactionId

gvssaicharan · ‎04-17-2020

Thank you for the quick reply. It worked well.
Can you explain why the same regex did not worked in splunk as is.
You made little tweaks in the expression.

mayurr98 · ‎04-17-2020

whats the query you are using to display the fields in table format?

How do I display a table with the fields extracted from regex?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

How do I display a table with the fields extracted from regex?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25