Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

How to extract fields without regex?

ahooper239
New Member
โ€Ž08-29-2014 10:05 AM

I'm trying to extract fields from a message containing the following string..

'database'=running 'management'=running 'runtime'=running 'adclient'=running 'ntpd'=running 'logforward'=running,

I'm trying to create fields such as database, management, etc. that will store a value of running, down, etc. I tried using regex from the interactive field extractor but once I try to extract 'runtime' or anything past that, no regex can be extracted. Are there any simple ways of doing what I need to do?

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
โ€Ž08-29-2014 12:22 PM

Splunk can parse events of the form field=value, but I think the quotes in your example will be problematic.

A rex query is simple enough, assuming your fields are always in the same order.

<search> | rex "'database'=(?<database>\w+)\s'management'=(?<management>\w+)\s'runtime'=(?<runtime>\w+)\s ..." | ...

This works in RegExr, but I haven't verified the quotes won't confuse Splunk.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Reply