Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I extract fields from my sample log using regex?

bravon
Communicator
‎11-11-2015 06:04 AM

I got a log containing "Step" values in order:

Step=11001 , Step=11018 , Step=12302 , Step=12319 , Step=12800 , Step=12805 , Step=12806 , Step=12801 , Step=12802 , Step=12305 , Step=11006 , Step=11001 , Step=11018 , Step=12304 , Step=12319 , Step=12804 , Step=12816 , Step=12311 , Step=15041 , Step=15004 , Step=15013 , Step=24432 , Step=24416 , Step=22037 , Step=15044 , Step=12312 , Step=12305 , Step=11006 , Step=11001 , Step=11018 , Step=12304 , Step=12306 , Step=11503 , Step=24703 , Step=24702 , Step=15035 , Step=15042 , Step=15036 , Step=15004 , Step=15016 ,

How can I extract fields from this? End result should be that each Step has its own field (Step1, Step2) and so on

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎11-11-2015 06:22 AM

Don't know if you can do it with a regex, but what you can do is capture everything from the first "Step=" to the next field value, and then use makemv with delim=" , Step="

Regex would look like this:

... | rex "Step=(?P<steps>.+) ,<following field>"

or if there are no fields after the "step" fields:

... | rex "Step=(?P<steps>.+) , $"

Then use makemv to convert the single string into a list of values:

... | makemv delim=" , Step=" steps

This should result in something like this:

Field1   Field2   steps
A        B        11001 11018 12302 ... 15016

Hope this helps

View solution in original post

Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎11-11-2015 06:22 AM

Don't know if you can do it with a regex, but what you can do is capture everything from the first "Step=" to the next field value, and then use makemv with delim=" , Step="

Regex would look like this:

... | rex "Step=(?P<steps>.+) ,<following field>"

or if there are no fields after the "step" fields:

... | rex "Step=(?P<steps>.+) , $"

Then use makemv to convert the single string into a list of values:

... | makemv delim=" , Step=" steps

This should result in something like this:

Field1   Field2   steps
A        B        11001 11018 12302 ... 15016

Hope this helps

Reply
Solved! Jump to solution

bravon
Communicator
‎11-12-2015 07:26 AM 
| rex max_match=0 "Step=(?<a_Step>([0-9]{5}))"

This puts all the "Step" values in one field called "a_Step"
Next task is to lookup the a_Step-values in a .cvs-file and properly present the info to a user

| lookup my_csv_lookup "Message Code" AS a_Step OUTPUT Category

When using the search app and applying the rex+lookup the "Category" field now lists the Category for each Step in the right order.
Next task at hand is to figure out how to best present this to the users accessing the data

Reply
Solved! Jump to solution

bravon
Communicator
‎11-12-2015 07:23 AM

Thanks for the input - it got us on the right track:)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...