Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Need to extract name of the job from the raw t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract name of the job from the raw text?
Hi Team,
Below is the raw text that has been received into our splunk portal. It has a field called name of the job.
{"timestamp": "2023-03-29T04:57:07.366881Z", "level": "INFO", "filename": "splunk_sample_csv.py", "funcName": "main", "lineno": 38, "message": "Dataframe row : {\"_c0\":{\"0\":\"{\",\"1\":\" \\\"total\\\": 236\",\"2\":\" \\\"statuses\\\": [\",\"3\":\" {\",\"4\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"5\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"6\":\" \\\"count\\\": 0\",\"7\":\" \\\"name\\\": \\\"BHW_T8841_ANTRAG_RDV\\\"\",\"8\":\" \\\"jobId\\\": \\\"LNDEV02:0dqvp\\\"\",\"9\":\" }\",\"10\":\" {\",\"11\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"12\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"13\":\" \\\"count\\\": 0\",\"14\":\" \\\"name\\\": \\\"BHW_T8009_DATEN_EBIS_RDV\\\"\",\"15\":\" \\\"jobId\\\": \\\"LNDEV02:0dqvi\\\"\",\"16\":\" }\",\"17\":\" {\",\"18\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"19\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"20\":\" \\\"count\\\": 0\",\"21\":\" \\\"name\\\": \\\"BHW_T5895_AZV_DATEN_RDV\\\"\",\"22\":\" \\\"jobId\\\": \\\"LNDEV02:0dqvd\\\"\",\"23\":\" }\",\"24\":\" {\",\"25\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"26\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"27\":\" \\\"count\\\": 0\",\"28\":\" \\\"name\\\": \\\"BHW_T5829_SONDERTILGUNG_RDV\\\"\",\"29\":\" \\\"jobId\\\": \\\"LNDEV02:0dqv9\\\"\",\"30\":\" }\",\"31\":\" {\",\"32\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"33\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"34\":\" \\\"count\\\": 0\",\"35\":\" \\\"name\\\": \\\"BHW_T5152_PROLO_ZINSEN_RDV\\\"\",\"36\":\" \\\"jobId\\\": \\\"LNDEV02:0dqv6\\\"\",\"37\":\" }\",\"38\":\" {\",\"39\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"40\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"41\":\" \\\"count\\\": 0\",\"42\":\" \\\"name\\\": \\\"BHW_T5149_PROLO_KOND_RDV\\\"\",\"43\":\" \\\"jobId\\\": \\\"LNDEV02:0dqv1\\\"\",\"44\":\" }\",\"45\":\" {\",\"46\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"47\":\" \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"48\":\" \\\"count\\\": 0\",\"49\":\" \\\"name\\\": \\\"BHW_T5144_ZUT_SALDEN_RDV\\\"\",\"50\":\" \\\"jobId\\\": \\\"LNDEV02:0dqux\\\"\",\"51\":\" }\",\"52\":\" {\",\"53\":\" \\\"status\\\": \\\"Wait Condition\\\"\",\"54\":\"
We need to separate the text after \\\"name\\\":\\\"**********\\\.
We need to separate the ***** text .
Please
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex max_match=0 "\\\\\\\\\\\\\"name\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?<name>[^\\\]+)"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also can you please help me on how to add the extracted name as a column in a tabular view in the splunk dashboard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure what you are asking for here - you already have a field (column) called name extracted by the rex command. It is a multivalue-field. Do you just need it as separate events (rows) in a table?
| table name
| mvexpand name
Building Reliable Asset and Identity Frameworks in Splunk ES
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
Automatic Discovery Part 3: Practical Use Cases
