How to extract desired data from search result?

sneha03 · ‎05-11-2022

Hi Team,

We are trying below search:

index=index_123 host=xyz source="/sys_apps_01/pqr/logs/xyz/mapper_xyz.log" ContextKeyMatch: Context Field Value

which gives below results with multiple rows as below:

Now we want to extract data after Context Filed Value. The string having "Context Filed Value" is of variable string length

We have multiple rows like above and we need to extract such data from each row. like : 005436213114023275.

Once we have the extracted data we need to fetch only last 12 digits

Could you please suggest regarding this?

ITWhisperer · ‎05-11-2022

Try something like this

| rex "Context Field Value\s+\d*(?<value>\d{12})"

PickleRick · ‎05-11-2022

Ideally, you should have this defined as an automatically extracted field so you don't have to do it ad-hoc every time. But for a one-off extraction you can do it with the rex command. Something like this:

<your search>
| rex "Context Filed Value.*(?<my_field>\d{12})$"

How to extract desired data from search result?

other

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...