Splunk Search

How do I write a regular expression in a Splunk search to extract data from comma separated text into a table format?

New Member

I am trying to write a search/extract on a below sample type of log file:
Sample data is as below (it will repeat across the whole log file, with some other log lines in between:

EventTime: 2016-01-01 14:54:22
User: cooluser1
AVGMetrics: 1 Year 99% AVG [33], 10 Year 95% AVG (1Y) [45], 480 Year 90% AVG [48], 690 Year 90% AVG [28],
WindowPeriod: 10 Years
ExtraParams: None

I need to extract portion of the AVGMetrics data as below:

_time                  User          AVGMetrics
2016-01-01 14:54:22    cooluser1     1
2016-01-01 14:54:22    cooluser1     10
2016-01-01 14:54:22    cooluser1     480
2016-01-01 14:54:22    cooluser1     690

How do I achieve this, can someone help please?

0 Karma
1 Solution

Legend

Try this

*UPDATED*

.... | rex max_match=0 "\s+(?<AVGMetrics>\d+)\s+Year\s" | table _time User AVGMetrics | mvexpand AVGMetrics

View solution in original post

0 Karma

Legend

Try this

*UPDATED*

.... | rex max_match=0 "\s+(?<AVGMetrics>\d+)\s+Year\s" | table _time User AVGMetrics | mvexpand AVGMetrics

View solution in original post

0 Karma