Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract multiple values from output to create new column in table with associated values

najaplit
New Member
‎04-08-2021 07:29 AM

Hello,

I have a search query that produces a value similar to below.  What i am trying to accomplish is to extract the "Data", "Time", and "Notes" section and to output those values to a table with each in a separate column.   What would be an efficient way to accomplish this?  I am seeing some regex syntax fines but not as familiar with it.  Any help is appreciated.  Thanks!

----------------------------------------

Value:

CompName: XXX XXX Type: XXX EmpName: XXX Date: XX-XX-XXXX Time 9:00AM Notes: XXXX

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
Ultra Champion
‎04-08-2021 08:08 AM

I modified your example show it working for PM times and included a colon after Time to make it consistent, but this is an example of how you might approach it

| makeresults 
| eval _raw="CompName: XXX XXX Type: XXX EmpName: XXX Date: 23-03-2021 Time: 9:00PM Notes: WXYZ"
| rex "Date:\s(?<date>[^\s]+)\sTime:\s(?<time>[^\s]+)\sNotes:\s(?<notes>.*)"
| eval _time=strptime(date." ".time,"%d-%m-%Y %I:%M%p")
0 Karma
Reply
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Get Updates on the Splunk Community!