Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract fields from events where the field location isn't constant and keeps changing?

VI371887
Path Finder
‎03-08-2018 09:04 AM

I want to write a query or rex under field extraction, to extract each value following a string and stopping at coma,

example :
hcyycuvubuv : 45544.466, "cpu percentage" :23.45667, "higghh": 23.345t,

in above string, I am only looking for numbers that come after "cpu_percentage":
, which is 23.45667

problem is, in my events the cpu percentage string is not at the same location in logs.

example :

first event
chhchvhvh: 223. 455, "cpu_percentage":23.45677,gghffvhh:3455

second event
chhchvhvh: 223. 455, tuvjvujjvg:3456.566, "cpu_percentage":23.45677,gghffvhh:3455.788

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

anjambha
Communicator
‎03-08-2018 11:01 PM

Hi VI371887,

Try this run search anywhere..

| makeresults | eval data="\"disk_bytes\":23.10,\"disk_bytes_quota\":23.13t," | rex field=data "disk_bytes\"\:(?<disk_bytes>\d+\.\d*)\,\"disk_bytes_quota\"\:(?<disk_bytes_quota>\d+\.\w+)\,"

in your environment:

base search |  rex field=_raw "disk_bytes\"\:(?<disk_bytes>\d+\.\d*)\,\"disk_bytes_quota\"\:(?<disk_bytes_quota>\d+\.\w+)\,"

OR

base search | rex field=data "disk_bytes\"\:(?<disk_bytes>[^,]+)\,\"disk_bytes_quota\"\:(?<disk_bytes_quota>[^,]+)\,"

View solution in original post

Reply
Solved! Jump to solution
Solution

anjambha
Communicator
‎03-08-2018 11:01 PM

Hi VI371887,

Try this run search anywhere..

| makeresults | eval data="\"disk_bytes\":23.10,\"disk_bytes_quota\":23.13t," | rex field=data "disk_bytes\"\:(?<disk_bytes>\d+\.\d*)\,\"disk_bytes_quota\"\:(?<disk_bytes_quota>\d+\.\w+)\,"

in your environment:

base search |  rex field=_raw "disk_bytes\"\:(?<disk_bytes>\d+\.\d*)\,\"disk_bytes_quota\"\:(?<disk_bytes_quota>\d+\.\w+)\,"

OR

base search | rex field=data "disk_bytes\"\:(?<disk_bytes>[^,]+)\,\"disk_bytes_quota\"\:(?<disk_bytes_quota>[^,]+)\,"
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎03-08-2018 09:28 AM

Hey VI371887,

You can try the following:

base search|rex field=_raw "\"cpu_percentage\"\:(?P<percentage>\d+.\d+[^,])"

Let me know if this helps!!!

0 Karma
Reply
Solved! Jump to solution

VI371887
Path Finder
‎03-20-2018 11:36 PM

hi i am having similar issues,

with msg field

it's has different values can be numbers, strings, path, punctuations, blank space like shown below.

"msg" :"35556"
"msg" :"<<÷] {<} ;;"
"msg" :"ycuvuuu jvbigg buivuv"
"msg" :" "

now problem is, i have written rex as
\msg\":(? \". *\") \,

but it returns value which following msg field.

"msg" :"vjvuv igivc uvviv", "origin" :"abcgc", "time" :23.45677",

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-08-2018 09:25 AM

Try like this

your base search 
| rex "\"cpu_percentage\"\:(?<cpu_percentage>[^,]+)"

or

your base search
| extract pairdelim="," kvdelim=":"
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...