Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract fields from the header?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mklhs
Path Finder
02-20-2020
04:48 AM
Hello,
I would like to leave the
"header.JMSDestination"="topic/testTopic/Durable-Non-Subscription/20"
the last two fields extract us as a field by creating an eval function so that it looks like the following:
"Durable-Non-Subscription.20" Next step I would like to separate this variable again so that it looks like "Non-Subscription.20". Finally, I need two variables:
"Durable-Non-Subscription.20"
"Non-Subscription.20"
Thank you very much
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-20-2020
02:01 PM
If field header.JMSDestination contains different path with same structure in each events, then you can use this:
| makeresults
| eval header.JMSDestination="topic/testTopic/Durable-Non-Subscription/20" | append [| makeresults
| eval header.JMSDestination="nexttopic/nexttestTopic/nextDurable-Non-Subscription/20" ]
| rex field=header.JMSDestination "(?<feild1>[\w-]+/[\d]+)$"
| rex field=header.JMSDestination "-(?<feild2>[\w-]+/[\d]+)$"
| eval feild1=replace(feild1, "/", "."), feild2=replace(feild2, "/", ".")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-20-2020
02:01 PM
If field header.JMSDestination contains different path with same structure in each events, then you can use this:
| makeresults
| eval header.JMSDestination="topic/testTopic/Durable-Non-Subscription/20" | append [| makeresults
| eval header.JMSDestination="nexttopic/nexttestTopic/nextDurable-Non-Subscription/20" ]
| rex field=header.JMSDestination "(?<feild1>[\w-]+/[\d]+)$"
| rex field=header.JMSDestination "-(?<feild2>[\w-]+/[\d]+)$"
| eval feild1=replace(feild1, "/", "."), feild2=replace(feild2, "/", ".")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
morethanyell
Builder
02-20-2020
05:53 AM
Try this
| makeresults
| eval _raw = "\"header.JMSDestination\"=\"topic/testTopic/Durable-Non-Subscription/20\""
| rex "testTopic\/(?<field1>[^\"]+)"
| rex field=field1 mode=sed "s/\//./g"
| rex field=field1 "Durable-(?<field2>.*)$"
Get Updates on the Splunk Community!
Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know
To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...
October Community Champions: A Shoutout to Our Contributors!
As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...
Automatic Discovery Part 2: Setup and Best Practices
In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...
