Splunk Search

How to display the entire string when it has something like Foo=123|456 ?

servlette
Engager

I am logging something like: Foo=123|456
When I query Splunk to get me Foo, it only prints 123 and it ignores |456.

I don't have anything like Foo="123|456" and what I have is: Foo=123|456

Please let me know how I get the entire value of Foo.

I need to get the entire value of it and to parse it to get 456.

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this try (lenght independent)

your base search | rex "Foo=(?<Foo>\w+\|\w+)" 

Once satisfied, you can save this extraction in props.conf on search head to improve performance.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this try (lenght independent)

your base search | rex "Foo=(?<Foo>\w+\|\w+)" 

Once satisfied, you can save this extraction in props.conf on search head to improve performance.

servlette
Engager

thank you 🙂

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Create a field extraction with the sparkly new field extractor. See a guide here.

You could also use rex to do a search time extraction:

| rex "Foo=(?<my_one_two_three>\d{3})\|(?<my_four_five_six>\d{3})"
0 Karma

servlette
Engager

Let me try... Thanks...

0 Karma

servlette
Engager

By the way, for illustration I used 123|456 and the length of 123 or 456 is not fixed. They can be of any length. The only thing I am interested is the values separated by "|".

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...