How to extract desired data from search result?

sneha03 · ‎05-11-2022

Hi Team,

We are trying below search:

index=index_123 host=xyz source="/sys_apps_01/pqr/logs/xyz/mapper_xyz.log" ContextKeyMatch: Context Field Value

which gives below results with multiple rows as below:

Now we want to extract data after Context Filed Value. The string having "Context Filed Value" is of variable string length

We have multiple rows like above and we need to extract such data from each row. like : 005436213114023275.

Once we have the extracted data we need to fetch only last 12 digits

Could you please suggest regarding this?

ITWhisperer · ‎05-11-2022

Try something like this

| rex "Context Field Value\s+\d*(?<value>\d{12})"

PickleRick · ‎05-11-2022

Ideally, you should have this defined as an automatically extracted field so you don't have to do it ad-hoc every time. But for a one-off extraction you can do it with the rex command. Something like this:

<your search>
| rex "Context Filed Value.*(?<my_field>\d{12})$"

How to extract desired data from search result?

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?

How to extract desired data from search result?

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI