Splunk Search

How do I edit my rex syntax in my search to extract a field from an unstructured event?


I would like to perform field extraction from an unstructured event.
I am unable to perform the field extraction from FX, as the event size is so big and it's not completely visible. On top of that, most events do not have a standard structure.

I am able to extract the required field using | rex (?<test1_status>"Running") .
But when I used the same rex in the following search, it's not giving me the required results as the results are getting filtered by the rex.

Please let me know a way to incorporate this rex in props.conf and/or improve the following search.
Additionally, I think the rex in this search will not get the accurate results as both of them are trying to extract same value Running from two source types.

index="test1" (sourcetype="stype1" OR sourcetype="stype2")
| rex (?<test1_status>"Running")
| rex (?<test2_status>"Running")
| stats latest(*_status) as *_status by sourcetype
| stats values(*_status) as *_status
| eval running_ok = if(test1_status="Running" AND test2="Running", 0, 1) 
| eval final = if(running_ok=0, 0, 1) 
|table running_ok final
0 Karma


See if this query gives you the desired results

index="test1" (sourcetype="stype1" OR sourcetype="stype2")
| rex "(?<status>Running)"
| fillnull value="Not Running" status
| stats latest(status) as status by sourcetype
| eval running_ok = if(stype1="Running" AND stype2="Running", 0, 1) 
| eval final=running_ok
| table running_ok final
0 Karma


Please share a sample event.

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...