Solved: How do you take a value out of a field and make a ...

aatha89 · ‎10-05-2018

How do i take out the port number (portnr) from the args field and make it to a field called "port" by a search? Can the answer here be to use eval and rex ?

Vijeta · ‎10-05-2018

Yes , you can use this rex command to get port- rex field=Args "_(?<port>\d{4})_"

View solution in original post

Vijeta · ‎10-05-2018

Yes , you can use this rex command to get port- rex field=Args "_(?<port>\d{4})_"

aatha89 · ‎10-05-2018

Thanks :). Do you think i will need to use eval here? or will it just be fine to use rex ?

Vijeta · ‎10-05-2018

rex will be fine, no need for eval if you just want to get port number in port field.

aatha89 · ‎10-05-2018

My logline her is:
_time command Args
24.05.1998 17:54 splunkA A_4040_restart

4040 is the portnr. I just want to take out portnr and put it a new field called port

kamlesh_vaghela · ‎10-05-2018

try this

YOUR_SEARCH  | rex field=args "_(?<port>.*)_"

Sample:

| makeresults | eval args="A_4040_restart" | rex field=args "_(?<port>.*)_"

aatha89 · ‎10-05-2018

Thank you very much!

kamlesh_vaghela · ‎10-05-2018

try
YOUR_SEARCH | rename portnr as port

aatha89 · ‎10-05-2018

Thanks for your reply! But my full question was:

My logline her is:
_time command Args // fields
24.05.1998 17:54 splunkA A_4040_restart //Values

4040 is the portnr. I just want to take out portnr and put it a new field called port

How do you take a value out of a field and make a new field with it?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms