How to extract specific data from a value?

msarkaus · ‎11-20-2022

Hello,

I would like to extract specific values from a log and display it in my Dashboard.

For example, the value is:

?QuoteId=CA10118&AgentId=12345&state=MN&Category=RetailSales

Is it possible to extract the word "AgentId=12345" and "state=MN"?

"AgentId" and "state" will always be the same. The value that follows will always change.

I would like to also display each value in a separate column

i.e.

Agent ID State

12345 MN

Any help would be appreciated.

PickleRick · ‎11-21-2022

Adding to the two answers you already have - if you use the fields often and if you filter your data on them it's good to define extractions for the sourcetype.

Due to how splunk works it should be much faster to do

<your conditions> Field=Value

using predefined extractions than

<your conditions>
| <command extracting field Field>
| search Field=Value

Sometimes splunk can optimize some sub-optimal searches but let's not add it unnecessary work 😉

yuanliu · ‎11-21-2022

An alternative is to just use kv (aka extract) command. Assuming that the value belongs to a field uri, you can do

| rename _raw as temp, uri as _raw
| kv
| rename temp as _raw

Now you have

AgentId	Category	QuoteId	state
12345	RetailSales	CA10118	MN

bowesmana · ‎11-20-2022

Assuming your field containing the data is _raw, then use the rex statement in the working example below

| makeresults
| eval _raw="?QuoteId=CA10118&AgentId=12345&state=MN&Category=RetailSales"
| rex "AgentId=(?<AgentId>\d+).*state=(?<state>\w+)"
| table AgentId state

This assumes that state will always follow AgentId

How to extract specific data from a value?

field extraction

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?