Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract fields from the header?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mklhs
Path Finder
02-20-2020
04:48 AM
Hello,
I would like to leave the
"header.JMSDestination"="topic/testTopic/Durable-Non-Subscription/20"
the last two fields extract us as a field by creating an eval function so that it looks like the following:
"Durable-Non-Subscription.20" Next step I would like to separate this variable again so that it looks like "Non-Subscription.20". Finally, I need two variables:
"Durable-Non-Subscription.20"
"Non-Subscription.20"
Thank you very much
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-20-2020
02:01 PM
If field header.JMSDestination contains different path with same structure in each events, then you can use this:
| makeresults
| eval header.JMSDestination="topic/testTopic/Durable-Non-Subscription/20" | append [| makeresults
| eval header.JMSDestination="nexttopic/nexttestTopic/nextDurable-Non-Subscription/20" ]
| rex field=header.JMSDestination "(?<feild1>[\w-]+/[\d]+)$"
| rex field=header.JMSDestination "-(?<feild2>[\w-]+/[\d]+)$"
| eval feild1=replace(feild1, "/", "."), feild2=replace(feild2, "/", ".")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-20-2020
02:01 PM
If field header.JMSDestination contains different path with same structure in each events, then you can use this:
| makeresults
| eval header.JMSDestination="topic/testTopic/Durable-Non-Subscription/20" | append [| makeresults
| eval header.JMSDestination="nexttopic/nexttestTopic/nextDurable-Non-Subscription/20" ]
| rex field=header.JMSDestination "(?<feild1>[\w-]+/[\d]+)$"
| rex field=header.JMSDestination "-(?<feild2>[\w-]+/[\d]+)$"
| eval feild1=replace(feild1, "/", "."), feild2=replace(feild2, "/", ".")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
morethanyell
Builder
02-20-2020
05:53 AM
Try this
| makeresults
| eval _raw = "\"header.JMSDestination\"=\"topic/testTopic/Durable-Non-Subscription/20\""
| rex "testTopic\/(?<field1>[^\"]+)"
| rex field=field1 mode=sed "s/\//./g"
| rex field=field1 "Durable-(?<field2>.*)$"
Get Updates on the Splunk Community!
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...
New Release | Splunk Cloud Platform 10.1.2507
Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
🗣 You Spoke, We Listened
Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.
In ...
