Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I extract a field from another field?

rohinisb91
Observer
‎12-10-2018 04:28 PM

I have an event in the following format

2018-12-10 15:15:40 [Thread-34-TestBolt-executor[4 4]] INFO  com.learn.code.StringQ.execute:67 - Bolt=StringQBolt | source=XYZ | dom=xyz| groupId=21239 | npid=ABC

These are already part of the "message" field. How do I extract npid, groupId, dom, source as different fields? These should be extracted as fields going forward.

Any pointers are appreciated!

Tags (2)
0 Karma
Reply

saurabhkharkar
Path Finder
‎12-27-2018 06:06 AM 
| makeresults 
| eval message="2018-12-10 15:15:40 [Thread-34-TestBolt-executor[4 4]] INFO  com.learn.code.StringQ.execute:67 - Bolt=StringQBolt | source=XYZ | dom=xyz| groupId=21239 | npid=ABC"
|rex field=message ".*Bolt\=(?<Bolt>[^\|]+)"
|rex field=message ".*source\=(?<source>[^\|]+)" 
|rex field=message ".*dom\=(?<dom>[^\|]+)" 
|rex field=message ".*groupId\=(?<groupId>[^\|]+)" 
|rex field=message ".*npid\=(?<npid>[^\|]+)" 
|table message Bolt source dom groupId npid
0 Karma
Reply

adonio
Ultra Champion
‎12-10-2018 05:02 PM

hello there:

runt this search anywhere:

| makeresults count=1
| eval _raw = "2018-12-10 15:15:40 [Thread-34-TestBolt-executor[4 4]] INFO  com.learn.code.StringQ.execute:67 - Bolt=StringQBolt | source=XYZ | dom=xyz| groupId=21239 | npid=ABC"
| rex field=_raw "(?<time>\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2})\s+\[(?<something>[^\[]+)\[(?<some_digits>[^\]]+)\]\]\s+(?<log_level>[^\s]+)\s+(?<some_fqdn_maybe>[^\:]+)\:(?<maybe_port>\d+)\s\-\s(?<everything_elde>.+)"
| extract pairdelim="|", kvdelim="=:"

to make it permanent use props.conf
you can also use the interactive field extractor

hope it helps

Reply

ddrillic
Ultra Champion
‎12-10-2018 04:54 PM

Something in the spirit of .*source=(?<source>\w*).*dom=(?<dom>\w*)...

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...
Top