Splunk Search

How to extract a field from within the value of another field?

New Member

A have a field called RAW_DATA with the following value, for example:
121014102709300701296259621803001024193524000100000001042000000000010400000004360000000000A000198799600476498796150501

I want to extract the portion bellow between spaces and '[' and ']':
121014102709300701296259621803001024193524000100000001042000000000010400000004360000000000A [000198799600] 476498796150501

How can I achieve this creating a new field extraction?

0 Karma
1 Solution

Builder

Try this:

<your index / sourcetypes> | rex field=RAW_DATA "\d+A(?<number_extracted>\d{12})\d+" 

This should extract your portion in to a new field (number_extracted).

View solution in original post

Builder

Try this:

<your index / sourcetypes> | rex field=RAW_DATA "\d+A(?<number_extracted>\d{12})\d+" 

This should extract your portion in to a new field (number_extracted).

View solution in original post

Revered Legend

If RAW_DATA is an existing field, then you can use the calculated fields to extract your 12 digit number as well.

From Splunk UI, go to Settings->Fields->Calculated fields->New. Select appropriate Destination app and sourcetype. Give a name and put this as eval expression

 replace(RAW_DATA,"(\w{91})(\d{12})(.*)","\2")

For more details and doing the same from props.conf, see this
http://docs.splunk.com/Documentation/Splunk/6.1.4/Knowledge/definecalcfields

New Member

It works, thank you!

And how can I use it in Field Extractor Page?

0 Karma

Path Finder

Can you post your full log??

0 Karma

Revered Legend

Just in case your 12 digit number is not always followed by letter "A", then you can use this

Your base search | rex field=RAW_DATA "\w{91}(?<number_extracted2>\d{12})\d+"

New Member

Yes! Always I need the same portion. The RAW_DATA length is fixed, and I need to extract this 12 numbers from this same position. More examples of data are:

(i)
161014102709295401500539001199001000637589000100000000600000000000006000000012460000000000A000198799601086268715200355...PLAIN TEXT WITH NOT IMPORTANT INFORMATION

(ii)
121014102709300802337162776343000002007797000100000000600000000000006000000047620000000000A000198799605339436725490508PLAIN TEXT WITH NOT IMPORTANT INFORMATION

0 Karma

Builder

Do you always have to extract the same portion? (000198799600) Do you have more sample data?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!