Re: How to extract fields from _raw field

kiran4splunk · ‎09-06-2012

Hi All,

I am new to Splunk.
I have informatica log.i have uploaded into splunk.when i am searching i am getting 5 fields.
in that 5 fields i have _raw field that contains all the fields that i want in my Report.

_time                                   host     sourcetype source    _raw

6 6/28/12 7:09:35.000 AM     NODE_DEV    Informatica     S_M_O1_HR_APPL_ASSIGN_EXTRACT.txt  2012-06-28 07:09:35 : INFO : (28947 | DIRECTOR) : (IS | Integration_Service_Dev) : NODE_DEV : CMN_1740 : Table: [SQ_IRC_ASSIGNMENT_STATUSES] (Instance Name: [SQ_IRC_ASSIGNMENT_STATUSES]) Output Rows [5497], Affected Rows [5497], Applied Rows [5497], Rejected Rows [0]

_raw field contains Instance Name,Output Rows,Affected Rows,Applied Rows,Rejected Rows.
My requirement is i want Instance Name,Output Rows,Affected Rows,Applied Rows,Rejected Rows to be displayed as seperate fields in my report.

Please suggest me the Solve.

Reply ASAP.
Thanks and Regards
Kiran Kumar

ayme · ‎09-06-2012

See http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample

Once you have your fields defined you can simply report on them in a tabular fashion:

... | table _time, InstanceName,OutputRows,AffectedRows,AppliedRows,RejectedRows

Or create sophisticated charts and reports

... | stats sum(OutputRows) by InstanceName

How to extract fields from _raw field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation