Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to extract field with it's value enclosed ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When parsing some customized log, the format it's like below
[timestamps] field name [value]
[00:46:38] - Remain Queue [ 0 ]
[00:46:38] - Remain Queue [ 2 ]
The only search term works for me is "Remain Queue" NOT 0. I've tried "Remain Queue">0 but no luck. How can I search/sort the remain queue count? How to train splurk to know Remain Queue is a field?
Further more, I've got another log entry looks like below. Is it possible to parse it if I want key-value pair become Connect=93?
[00:46:38] - Connect [ 330931 / 330838 ] [ 93 ]
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Define your field extraction via a regex:
^\[[^\]]+\]\s+\-\s*([\w ]+).+\[\s*([^\s]+)\s*\]
This is the format that you would add to props.conf, where the matched groups $1 and $2 will extract the field data you want.
You can also try this inline via the rex command (as to avoid editing conf files):
... | rex "^\[[^\]]+\]\s+\-\s*(?<action>[\w ]+).+\[\s*(?<value>[^\s]+)\s*\]" | search action="Remain Queue" value>=10
where the named extractions will generate a action and value field. The subsequent search command then uses the newly extracted fields. This regex works on both examples you provided:
[00:46:38] - Remain Queue [ 0 ]
[00:46:38] - Remain Queue [ 2 ]
[00:46:38] - Connect [ 330931 / 330838 ] [ 93 ]
You can test out the regexes online at a regex testing page.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Define your field extraction via a regex:
^\[[^\]]+\]\s+\-\s*([\w ]+).+\[\s*([^\s]+)\s*\]
This is the format that you would add to props.conf, where the matched groups $1 and $2 will extract the field data you want.
You can also try this inline via the rex command (as to avoid editing conf files):
... | rex "^\[[^\]]+\]\s+\-\s*(?<action>[\w ]+).+\[\s*(?<value>[^\s]+)\s*\]" | search action="Remain Queue" value>=10
where the named extractions will generate a action and value field. The subsequent search command then uses the newly extracted fields. This regex works on both examples you provided:
[00:46:38] - Remain Queue [ 0 ]
[00:46:38] - Remain Queue [ 2 ]
[00:46:38] - Connect [ 330931 / 330838 ] [ 93 ]
You can test out the regexes online at a regex testing page.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, you need to add another search or where command after the rex because the field will only come into being after it, like: * | rex ... | where action="Remain Queue" value>10. I've updated the example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The other question is there're so many props.conf files in splunk folder. Which one should I modify. And which section and what key should I add in?
eg.
[SECTION NAME]
KEY = ^[[^]]+]\s+-\s*([\w ]+).+[\s*([^\s]+)\s*]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the awesome solution. But I am too new to get this work. I tried to search with '"Remain Queue" > 10 | rex "^[[^]]+]\s+-\s*(?
Splunk Observability for AI
[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events
Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!
