Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract fields from my sample log using regex?

bravon
Communicator
‎11-11-2015 06:04 AM

I got a log containing "Step" values in order:

Step=11001 , Step=11018 , Step=12302 , Step=12319 , Step=12800 , Step=12805 , Step=12806 , Step=12801 , Step=12802 , Step=12305 , Step=11006 , Step=11001 , Step=11018 , Step=12304 , Step=12319 , Step=12804 , Step=12816 , Step=12311 , Step=15041 , Step=15004 , Step=15013 , Step=24432 , Step=24416 , Step=22037 , Step=15044 , Step=12312 , Step=12305 , Step=11006 , Step=11001 , Step=11018 , Step=12304 , Step=12306 , Step=11503 , Step=24703 , Step=24702 , Step=15035 , Step=15042 , Step=15036 , Step=15004 , Step=15016 ,

How can I extract fields from this? End result should be that each Step has its own field (Step1, Step2) and so on

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎11-11-2015 06:22 AM

Don't know if you can do it with a regex, but what you can do is capture everything from the first "Step=" to the next field value, and then use makemv with delim=" , Step="

Regex would look like this:

... | rex "Step=(?P<steps>.+) ,<following field>"

or if there are no fields after the "step" fields:

... | rex "Step=(?P<steps>.+) , $"

Then use makemv to convert the single string into a list of values:

... | makemv delim=" , Step=" steps

This should result in something like this:

Field1   Field2   steps
A        B        11001 11018 12302 ... 15016

Hope this helps

View solution in original post

Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎11-11-2015 06:22 AM

Don't know if you can do it with a regex, but what you can do is capture everything from the first "Step=" to the next field value, and then use makemv with delim=" , Step="

Regex would look like this:

... | rex "Step=(?P<steps>.+) ,<following field>"

or if there are no fields after the "step" fields:

... | rex "Step=(?P<steps>.+) , $"

Then use makemv to convert the single string into a list of values:

... | makemv delim=" , Step=" steps

This should result in something like this:

Field1   Field2   steps
A        B        11001 11018 12302 ... 15016

Hope this helps

Reply
Solved! Jump to solution

bravon
Communicator
‎11-12-2015 07:26 AM 
| rex max_match=0 "Step=(?<a_Step>([0-9]{5}))"

This puts all the "Step" values in one field called "a_Step"
Next task is to lookup the a_Step-values in a .cvs-file and properly present the info to a user

| lookup my_csv_lookup "Message Code" AS a_Step OUTPUT Category

When using the search app and applying the rex+lookup the "Category" field now lists the Category for each Step in the right order.
Next task at hand is to figure out how to best present this to the users accessing the data

Reply
Solved! Jump to solution

bravon
Communicator
‎11-12-2015 07:23 AM

Thanks for the input - it got us on the right track:)

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...