How to Parse Results?

jfolland · ‎02-01-2011

I am interested in seeing only pieces of a message in the results. I would like to be able to run a search and return only a substring of the message. In sql, it would be something like "substring(message, charindex(message, 'somestringvalue'), somelength)" and thus my results would only contain the information I was interested in.

Is there a way to do this?

mw · ‎02-01-2011

The answer can also depend on what you mean by substring. For presentation purposes, there are generally better mechanisms to carve up the raw data. If the relevant data is in fields then you can "table" them as well. Depending on the purpose, this can be prettier to look at:

fail* sourcetype=syslog | table pid, process

ziegfried · ‎02-01-2011

Probably the most straight-forward way to do this is to use a regular expression. It's quite easy to translate such a substring expression to regex. In order to see the altered message, you have to change the content of the _raw field.

eg.

substring(message, charindex(message, "foo"), 20)

would be translated as

sourcetype=mysourcetype | rex "(?<_raw>foo.{17})"

You can as well use the eval command to extract substrings, but there's no charindex equivalent available:

sourcetype=mysourcetype | eval _raw=substr(_raw, 5, 25)

How to Parse Results?

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

How to Parse Results?

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!