- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract a field from a single line text fil...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract a field from a single line text file and chart or graph the results?
Hi
I manage to load my directory into splunk. Its a directory of multiple single line .txt file. Splunk is able to read all the file and the time stamp correctly. How can i plot a graph or chart?
I have a single line text file. the content is as of below:
ID,FFM004-9999-01,MID,18M,D1,02/10/2012,T1,17:10:33.419,FC01,STARTUP,FD01,NIL,UC01,25911.00,UC02,40685.00,OC01,29.00,OC02,31.00,OC03,22.00,OC04,20.00
Those in bold are the tag and the value of the tag is after the comma. If I there are 10 .txt file and I want to plot a graph or chart for UC01 of all 10 files, how do I do it?
Please advise.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alrighty. So, for this one, I wanted to make sure it was dynamic enough to take into account new fields created/removed from the raw data, and also do the field extractions from the events, assuming that the CSV-delineated events won't have headers across the number of files.
Pull in your base search, then I used in-line SED to match & replace the first (and every other) comma with an equal sign. We then feed it into an 'extract' command to pull out the necessary fields. From there, your stats command will vary based on what you want to showcase; in the sample search below, I just did an average of UC01 by ID.
base search... | rex mode=sed "s/(.*?),(.*?,)/\1=\2/g" | extract pairdelim="," kvdelim="=" | stats avg(UC01) AS Average by ID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your input
but i can't treat all "," as an "="
e.g.
UC01,25911.00*,*UC02,40685.00
i definitely can't treat this comma as an equal, its to differentiate the next tag
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fair enough. The next suggestion would be that you do field extractions based on fields you know exist and want to pull out of your record (i.e. UC01). For example, an in-line extraction would be:
base search... | rex "UC01,(?<UC01>.*?),"
Overview in docs here:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Addfieldsatsearchtime
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
