Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I extract a field from another field?

rohinisb91
Observer
‎12-10-2018 04:28 PM

I have an event in the following format

2018-12-10 15:15:40 [Thread-34-TestBolt-executor[4 4]] INFO  com.learn.code.StringQ.execute:67 - Bolt=StringQBolt | source=XYZ | dom=xyz| groupId=21239 | npid=ABC

These are already part of the "message" field. How do I extract npid, groupId, dom, source as different fields? These should be extracted as fields going forward.

Any pointers are appreciated!

Tags (2)
0 Karma
Reply

saurabhkharkar
Path Finder
‎12-27-2018 06:06 AM 
| makeresults 
| eval message="2018-12-10 15:15:40 [Thread-34-TestBolt-executor[4 4]] INFO  com.learn.code.StringQ.execute:67 - Bolt=StringQBolt | source=XYZ | dom=xyz| groupId=21239 | npid=ABC"
|rex field=message ".*Bolt\=(?<Bolt>[^\|]+)"
|rex field=message ".*source\=(?<source>[^\|]+)" 
|rex field=message ".*dom\=(?<dom>[^\|]+)" 
|rex field=message ".*groupId\=(?<groupId>[^\|]+)" 
|rex field=message ".*npid\=(?<npid>[^\|]+)" 
|table message Bolt source dom groupId npid
0 Karma
Reply

adonio
Ultra Champion
‎12-10-2018 05:02 PM

hello there:

runt this search anywhere:

| makeresults count=1
| eval _raw = "2018-12-10 15:15:40 [Thread-34-TestBolt-executor[4 4]] INFO  com.learn.code.StringQ.execute:67 - Bolt=StringQBolt | source=XYZ | dom=xyz| groupId=21239 | npid=ABC"
| rex field=_raw "(?<time>\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2})\s+\[(?<something>[^\[]+)\[(?<some_digits>[^\]]+)\]\]\s+(?<log_level>[^\s]+)\s+(?<some_fqdn_maybe>[^\:]+)\:(?<maybe_port>\d+)\s\-\s(?<everything_elde>.+)"
| extract pairdelim="|", kvdelim="=:"

to make it permanent use props.conf
you can also use the interactive field extractor

hope it helps

Reply

ddrillic
Ultra Champion
‎12-10-2018 04:54 PM

Something in the spirit of .*source=(?<source>\w*).*dom=(?<dom>\w*)...

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
Top