Re: How to extract fields from _raw field

kiran4splunk · ‎09-06-2012

Hi All,

I am new to Splunk.
I have informatica log.i have uploaded into splunk.when i am searching i am getting 5 fields.
in that 5 fields i have _raw field that contains all the fields that i want in my Report.

_time                                   host     sourcetype source    _raw

6 6/28/12 7:09:35.000 AM     NODE_DEV    Informatica     S_M_O1_HR_APPL_ASSIGN_EXTRACT.txt  2012-06-28 07:09:35 : INFO : (28947 | DIRECTOR) : (IS | Integration_Service_Dev) : NODE_DEV : CMN_1740 : Table: [SQ_IRC_ASSIGNMENT_STATUSES] (Instance Name: [SQ_IRC_ASSIGNMENT_STATUSES]) Output Rows [5497], Affected Rows [5497], Applied Rows [5497], Rejected Rows [0]

_raw field contains Instance Name,Output Rows,Affected Rows,Applied Rows,Rejected Rows.
My requirement is i want Instance Name,Output Rows,Affected Rows,Applied Rows,Rejected Rows to be displayed as seperate fields in my report.

Please suggest me the Solve.

Reply ASAP.
Thanks and Regards
Kiran Kumar

ayme · ‎09-06-2012

See http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample

Once you have your fields defined you can simply report on them in a tabular fashion:

... | table _time, InstanceName,OutputRows,AffectedRows,AppliedRows,RejectedRows

Or create sophisticated charts and reports

... | stats sum(OutputRows) by InstanceName

How to extract fields from _raw field

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Are you a member of the Splunk Community?

How to extract fields from _raw field

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025