Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I edit my rex syntax in my search to extract a field from an unstructured event?

biec1
Explorer
‎12-14-2016 02:16 AM

I would like to perform field extraction from an unstructured event.
I am unable to perform the field extraction from FX, as the event size is so big and it's not completely visible. On top of that, most events do not have a standard structure.

I am able to extract the required field using | rex (?<test1_status>"Running") .
But when I used the same rex in the following search, it's not giving me the required results as the results are getting filtered by the rex.

Please let me know a way to incorporate this rex in props.conf and/or improve the following search.
Additionally, I think the rex in this search will not get the accurate results as both of them are trying to extract same value Running from two source types.

index="test1" (sourcetype="stype1" OR sourcetype="stype2")
| rex (?<test1_status>"Running")
| rex (?<test2_status>"Running")
| stats latest(*_status) as *_status by sourcetype
| stats values(*_status) as *_status
| eval running_ok = if(test1_status="Running" AND test2="Running", 0, 1) 
| eval final = if(running_ok=0, 0, 1) 
|table running_ok final
0 Karma
Reply

sundareshr
Legend
‎12-14-2016 05:53 AM

See if this query gives you the desired results

index="test1" (sourcetype="stype1" OR sourcetype="stype2")
| rex "(?<status>Running)"
| fillnull value="Not Running" status
| stats latest(status) as status by sourcetype
| eval running_ok = if(stype1="Running" AND stype2="Running", 0, 1) 
| eval final=running_ok
| table running_ok final
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-14-2016 05:02 AM

Please share a sample event.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...