Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I extract a field from another field?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I extract a field from another field?
rohinisb91
Observer
12-10-2018
04:28 PM
I have an event in the following format
2018-12-10 15:15:40 [Thread-34-TestBolt-executor[4 4]] INFO com.learn.code.StringQ.execute:67 - Bolt=StringQBolt | source=XYZ | dom=xyz| groupId=21239 | npid=ABC
These are already part of the "message" field. How do I extract npid, groupId, dom, source as different fields? These should be extracted as fields going forward.
Any pointers are appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
saurabhkharkar
Path Finder
12-27-2018
06:06 AM
| makeresults
| eval message="2018-12-10 15:15:40 [Thread-34-TestBolt-executor[4 4]] INFO com.learn.code.StringQ.execute:67 - Bolt=StringQBolt | source=XYZ | dom=xyz| groupId=21239 | npid=ABC"
|rex field=message ".*Bolt\=(?<Bolt>[^\|]+)"
|rex field=message ".*source\=(?<source>[^\|]+)"
|rex field=message ".*dom\=(?<dom>[^\|]+)"
|rex field=message ".*groupId\=(?<groupId>[^\|]+)"
|rex field=message ".*npid\=(?<npid>[^\|]+)"
|table message Bolt source dom groupId npid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
12-10-2018
05:02 PM
hello there:
runt this search anywhere:
| makeresults count=1
| eval _raw = "2018-12-10 15:15:40 [Thread-34-TestBolt-executor[4 4]] INFO com.learn.code.StringQ.execute:67 - Bolt=StringQBolt | source=XYZ | dom=xyz| groupId=21239 | npid=ABC"
| rex field=_raw "(?<time>\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2})\s+\[(?<something>[^\[]+)\[(?<some_digits>[^\]]+)\]\]\s+(?<log_level>[^\s]+)\s+(?<some_fqdn_maybe>[^\:]+)\:(?<maybe_port>\d+)\s\-\s(?<everything_elde>.+)"
| extract pairdelim="|", kvdelim="=:"
to make it permanent use props.conf
you can also use the interactive field extractor
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
12-10-2018
04:54 PM
Something in the spirit of .*source=(?<source>\w*).*dom=(?<dom>\w*)...
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
