Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I extract fields from my sample log using regex?

bravon
Communicator
‎11-11-2015 06:04 AM

I got a log containing "Step" values in order:

Step=11001 , Step=11018 , Step=12302 , Step=12319 , Step=12800 , Step=12805 , Step=12806 , Step=12801 , Step=12802 , Step=12305 , Step=11006 , Step=11001 , Step=11018 , Step=12304 , Step=12319 , Step=12804 , Step=12816 , Step=12311 , Step=15041 , Step=15004 , Step=15013 , Step=24432 , Step=24416 , Step=22037 , Step=15044 , Step=12312 , Step=12305 , Step=11006 , Step=11001 , Step=11018 , Step=12304 , Step=12306 , Step=11503 , Step=24703 , Step=24702 , Step=15035 , Step=15042 , Step=15036 , Step=15004 , Step=15016 ,

How can I extract fields from this? End result should be that each Step has its own field (Step1, Step2) and so on

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎11-11-2015 06:22 AM

Don't know if you can do it with a regex, but what you can do is capture everything from the first "Step=" to the next field value, and then use makemv with delim=" , Step="

Regex would look like this:

... | rex "Step=(?P<steps>.+) ,<following field>"

or if there are no fields after the "step" fields:

... | rex "Step=(?P<steps>.+) , $"

Then use makemv to convert the single string into a list of values:

... | makemv delim=" , Step=" steps

This should result in something like this:

Field1   Field2   steps
A        B        11001 11018 12302 ... 15016

Hope this helps

View solution in original post

Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎11-11-2015 06:22 AM

Don't know if you can do it with a regex, but what you can do is capture everything from the first "Step=" to the next field value, and then use makemv with delim=" , Step="

Regex would look like this:

... | rex "Step=(?P<steps>.+) ,<following field>"

or if there are no fields after the "step" fields:

... | rex "Step=(?P<steps>.+) , $"

Then use makemv to convert the single string into a list of values:

... | makemv delim=" , Step=" steps

This should result in something like this:

Field1   Field2   steps
A        B        11001 11018 12302 ... 15016

Hope this helps

Reply
Solved! Jump to solution

bravon
Communicator
‎11-12-2015 07:26 AM 
| rex max_match=0 "Step=(?<a_Step>([0-9]{5}))"

This puts all the "Step" values in one field called "a_Step"
Next task is to lookup the a_Step-values in a .cvs-file and properly present the info to a user

| lookup my_csv_lookup "Message Code" AS a_Step OUTPUT Category

When using the search app and applying the rex+lookup the "Category" field now lists the Category for each Step in the right order.
Next task at hand is to figure out how to best present this to the users accessing the data

Reply
Solved! Jump to solution

bravon
Communicator
‎11-12-2015 07:23 AM

Thanks for the input - it got us on the right track:)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...