Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract a field from a single line text fil...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract a field from a single line text file and chart or graph the results?
jonzhong
New Member
09-26-2014
01:06 AM
Hi
I manage to load my directory into splunk. Its a directory of multiple single line .txt file. Splunk is able to read all the file and the time stamp correctly. How can i plot a graph or chart?
I have a single line text file. the content is as of below:
ID,FFM004-9999-01,MID,18M,D1,02/10/2012,T1,17:10:33.419,FC01,STARTUP,FD01,NIL,UC01,25911.00,UC02,40685.00,OC01,29.00,OC02,31.00,OC03,22.00,OC04,20.00
Those in bold are the tag and the value of the tag is after the comma. If I there are 10 .txt file and I want to plot a graph or chart for UC01 of all 10 files, how do I do it?
Please advise.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srioux
Communicator
09-26-2014
07:53 AM
Alrighty. So, for this one, I wanted to make sure it was dynamic enough to take into account new fields created/removed from the raw data, and also do the field extractions from the events, assuming that the CSV-delineated events won't have headers across the number of files.
Pull in your base search, then I used in-line SED to match & replace the first (and every other) comma with an equal sign. We then feed it into an 'extract' command to pull out the necessary fields. From there, your stats command will vary based on what you want to showcase; in the sample search below, I just did an average of UC01 by ID.
base search... | rex mode=sed "s/(.*?),(.*?,)/\1=\2/g" | extract pairdelim="," kvdelim="=" | stats avg(UC01) AS Average by ID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonzhong
New Member
09-28-2014
06:57 PM
thanks for your input
but i can't treat all "," as an "="
e.g.
UC01,25911.00*,*UC02,40685.00
i definitely can't treat this comma as an equal, its to differentiate the next tag
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srioux
Communicator
09-29-2014
05:46 AM
Fair enough. The next suggestion would be that you do field extractions based on fields you know exist and want to pull out of your record (i.e. UC01). For example, an in-line extraction would be:
base search... | rex "UC01,(?<UC01>.*?),"
Overview in docs here:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Addfieldsatsearchtime
Get Updates on the Splunk Community!
Now Playing: Splunk Education Summer Learning Premieres
It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
The Visibility Gap: Hybrid Networks and IT Services
The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...
Get Operational Insights Quickly with Natural Language on the Splunk Platform
In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
