How to extract text from the Message field up to t...

daniel_knights · ‎06-06-2016

We have made a dashboard to show the rare events generated by users

Account_Name=XX* |rare limit=20 EventCode |table count, EventCode, Message

but with the message field, it outputs everything below the Message= field

How can I extract from the message field up to the first "." or carriage return?

What we are after is Message="An account was logged off."

jwahlgren · ‎11-14-2016

Try:

| eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) |table Short_Message

Edit: Depending on the message you can filter out what lines to show with (Message,0) were 0 is first line. So if you only wan't to show line 3 you can specify eval Short_Message=mvindex(Message,2). In your case the above query should be correct as you only want to show the first line in the message.

sundareshr · ‎06-07-2016

Try this. New field msg should have everything before the first "."

.... | rex field=Message "\"(?<msg>[^\.\n]+)"

How to extract text from the Message field up to the first "." in Windows event logs?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

How to extract text from the Message field up to the first "." in Windows event logs?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...