Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

How do I edit my rex syntax in my search to extract a field from an unstructured event?

biec1
Explorer
โ€Ž12-14-2016 02:16 AM

I would like to perform field extraction from an unstructured event.
I am unable to perform the field extraction from FX, as the event size is so big and it's not completely visible. On top of that, most events do not have a standard structure.

I am able to extract the required field using | rex (?<test1_status>"Running") .
But when I used the same rex in the following search, it's not giving me the required results as the results are getting filtered by the rex.

Please let me know a way to incorporate this rex in props.conf and/or improve the following search.
Additionally, I think the rex in this search will not get the accurate results as both of them are trying to extract same value Running from two source types.

index="test1" (sourcetype="stype1" OR sourcetype="stype2")
| rex (?<test1_status>"Running")
| rex (?<test2_status>"Running")
| stats latest(*_status) as *_status by sourcetype
| stats values(*_status) as *_status
| eval running_ok = if(test1_status="Running" AND test2="Running", 0, 1) 
| eval final = if(running_ok=0, 0, 1) 
|table running_ok final
0 Karma
Reply

sundareshr
Legend
โ€Ž12-14-2016 05:53 AM

See if this query gives you the desired results

index="test1" (sourcetype="stype1" OR sourcetype="stype2")
| rex "(?<status>Running)"
| fillnull value="Not Running" status
| stats latest(status) as status by sourcetype
| eval running_ok = if(stype1="Running" AND stype2="Running", 0, 1) 
| eval final=running_ok
| table running_ok final
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
โ€Ž12-14-2016 05:02 AM

Please share a sample event.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Reply