Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract name of the job from the raw text?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract name of the job from the raw text?
Hi Team,
Below is the raw text that has been received into our splunk portal. It has a field called name of the job.
{"timestamp": "2023-03-29T04:57:07.366881Z", "level": "INFO", "filename": "splunk_sample_csv.py", "funcName": "main", "lineno": 38, "message": "Dataframe row : {\"_c0\":{\"0\":\"{\",\"1\":\" \\\"total\\\": 236\",\"2\":\" \\\"statuses\\\": [\",\"3\":\" {\",\"4\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"5\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"6\":\" \\\"count\\\": 0\",\"7\":\" \\\"name\\\": \\\"BHW_T8841_ANTRAG_RDV\\\"\",\"8\":\" \\\"jobId\\\": \\\"LNDEV02:0dqvp\\\"\",\"9\":\" }\",\"10\":\" {\",\"11\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"12\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"13\":\" \\\"count\\\": 0\",\"14\":\" \\\"name\\\": \\\"BHW_T8009_DATEN_EBIS_RDV\\\"\",\"15\":\" \\\"jobId\\\": \\\"LNDEV02:0dqvi\\\"\",\"16\":\" }\",\"17\":\" {\",\"18\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"19\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"20\":\" \\\"count\\\": 0\",\"21\":\" \\\"name\\\": \\\"BHW_T5895_AZV_DATEN_RDV\\\"\",\"22\":\" \\\"jobId\\\": \\\"LNDEV02:0dqvd\\\"\",\"23\":\" }\",\"24\":\" {\",\"25\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"26\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"27\":\" \\\"count\\\": 0\",\"28\":\" \\\"name\\\": \\\"BHW_T5829_SONDERTILGUNG_RDV\\\"\",\"29\":\" \\\"jobId\\\": \\\"LNDEV02:0dqv9\\\"\",\"30\":\" }\",\"31\":\" {\",\"32\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"33\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"34\":\" \\\"count\\\": 0\",\"35\":\" \\\"name\\\": \\\"BHW_T5152_PROLO_ZINSEN_RDV\\\"\",\"36\":\" \\\"jobId\\\": \\\"LNDEV02:0dqv6\\\"\",\"37\":\" }\",\"38\":\" {\",\"39\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"40\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"41\":\" \\\"count\\\": 0\",\"42\":\" \\\"name\\\": \\\"BHW_T5149_PROLO_KOND_RDV\\\"\",\"43\":\" \\\"jobId\\\": \\\"LNDEV02:0dqv1\\\"\",\"44\":\" }\",\"45\":\" {\",\"46\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"47\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"48\":\" \\\"count\\\": 0\",\"49\":\" \\\"name\\\": \\\"BHW_T5144_ZUT_SALDEN_RDV\\\"\",\"50\":\" \\\"jobId\\\": \\\"LNDEV02:0dqux\\\"\",\"51\":\" }\",\"52\":\" {\",\"53\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"54\":\"
We need to separate the text after \\\"name\\\":\\\"**********\\\.
We need to separate the ***** text .
Please
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex max_match=0 "\\\\\\\\\\\\\"name\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?<name>[^\\\]+)"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also can you please help me on how to add the extracted name as a column in a tabular view in the splunk dashboard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure what you are asking for here - you already have a field (column) called name extracted by the rex command. It is a multivalue-field. Do you just need it as separate events (rows) in a table?
| table name
| mvexpand name
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
