Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract a field from a single line text fil...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract a field from a single line text file and chart or graph the results?
jonzhong
New Member
09-26-2014
01:06 AM
Hi
I manage to load my directory into splunk. Its a directory of multiple single line .txt file. Splunk is able to read all the file and the time stamp correctly. How can i plot a graph or chart?
I have a single line text file. the content is as of below:
ID,FFM004-9999-01,MID,18M,D1,02/10/2012,T1,17:10:33.419,FC01,STARTUP,FD01,NIL,UC01,25911.00,UC02,40685.00,OC01,29.00,OC02,31.00,OC03,22.00,OC04,20.00
Those in bold are the tag and the value of the tag is after the comma. If I there are 10 .txt file and I want to plot a graph or chart for UC01 of all 10 files, how do I do it?
Please advise.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srioux
Communicator
09-26-2014
07:53 AM
Alrighty. So, for this one, I wanted to make sure it was dynamic enough to take into account new fields created/removed from the raw data, and also do the field extractions from the events, assuming that the CSV-delineated events won't have headers across the number of files.
Pull in your base search, then I used in-line SED to match & replace the first (and every other) comma with an equal sign. We then feed it into an 'extract' command to pull out the necessary fields. From there, your stats command will vary based on what you want to showcase; in the sample search below, I just did an average of UC01 by ID.
base search... | rex mode=sed "s/(.*?),(.*?,)/\1=\2/g" | extract pairdelim="," kvdelim="=" | stats avg(UC01) AS Average by ID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonzhong
New Member
09-28-2014
06:57 PM
thanks for your input
but i can't treat all "," as an "="
e.g.
UC01,25911.00*,*UC02,40685.00
i definitely can't treat this comma as an equal, its to differentiate the next tag
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srioux
Communicator
09-29-2014
05:46 AM
Fair enough. The next suggestion would be that you do field extractions based on fields you know exist and want to pull out of your record (i.e. UC01). For example, an in-line extraction would be:
base search... | rex "UC01,(?<UC01>.*?),"
Overview in docs here:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Addfieldsatsearchtime
Get Updates on the Splunk Community!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Announcing the General Availability of Splunk Enterprise Security 8.1!
We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...
Developer Spotlight with William Searle
The Splunk Guy: A Developer’s Path from Web to Cloud
William is a Splunk Professional Services Consultant with ...
