Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the all the field using rex?

karthi2809
Builder
‎06-20-2018 02:27 AM

How to extract success and fatal into one field and also extract two Fields after FATAL 

2018-06-18 02:06:34,606|261529301994221|MA_SELECT|785M91236|602304234|001|WGS20||||EMAIL|SPALACIOS810@GMAIL.COM|LEVEL2|||SUCCESS|| 
2018-06-18 02:06:34,294|7961529301994286|MA_SELECT|AN72688470000|202465241|001|NASCO||||EMAIL|SANGELI@OUTDRS.NET|LEVEL2|||
FATAL|E000057P|Member not found
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-20-2018 03:04 AM

Shortcut approach to extract into result field:

| rex "\|(?<result>SUCCESS|FATAL)\|"

This is a shortcut since it assumes there are no other part of the event that could match this SUCCESS or FATAL string.

A safer approach would be to create a regex that extracts the SUCCESS/FATAL value from the expected location in the message:

| rex "(?:[^\|]*\|){15}(?<result>SUCCESS|FATAL)"

https://regex101.com/r/FvClhk/1

An other option is to configure delimiter based field extraction.

props.conf:

REPORT-extractfields = extractfields

transforms.conf

[extractfields]
DELIMS = "|"
FIELDS = field1, field2, field3

Note: replace the field1 etc. with your own list of comma separated field names.

View solution in original post

Reply
Solved! Jump to solution

rlait_splunk
Splunk Employee
Splunk Employee
‎06-20-2018 03:05 AM

If it's just FATAL or SUCCESS, you could try:

(?<status>FATAL|SUCCESS)
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-20-2018 03:04 AM

Shortcut approach to extract into result field:

| rex "\|(?<result>SUCCESS|FATAL)\|"

This is a shortcut since it assumes there are no other part of the event that could match this SUCCESS or FATAL string.

A safer approach would be to create a regex that extracts the SUCCESS/FATAL value from the expected location in the message:

| rex "(?:[^\|]*\|){15}(?<result>SUCCESS|FATAL)"

https://regex101.com/r/FvClhk/1

An other option is to configure delimiter based field extraction.

props.conf:

REPORT-extractfields = extractfields

transforms.conf

[extractfields]
DELIMS = "|"
FIELDS = field1, field2, field3

Note: replace the field1 etc. with your own list of comma separated field names.

Reply
Solved! Jump to solution

karthi2809
Builder
‎06-20-2018 03:15 AM

I need to extract two fields after FATAL

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎06-20-2018 03:44 AM

@karthi2809, try this extended version to extract remaining fields:

 |rex field=data "\|(?<result>SUCCESS|FATAL)\|(?<number>\w+)?\|(?<status>[a-zA-Z ]+)?"
Reply
Solved! Jump to solution

karthi2809
Builder
‎06-20-2018 04:09 AM

Thank you so much

0 Karma
Reply
Solved! Jump to solution

Anam
Community Manager
Community Manager
‎06-20-2018 02:38 PM

Hi @karthi2809

My name is Anam and I am the Community Content Specialist for Splunk Answers. Please go ahead and accept the answer that worked for you. If it is a comment, let me know and I can convert it to an answer and accept it.

Thanks

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎06-20-2018 02:36 AM

can you put the sample events in 101010 sample code format as I am not able to understand it

0 Karma
Reply
Solved! Jump to solution

karthi2809
Builder
‎06-20-2018 02:56 AM

101010|101010|101010|101010|101010|101010|101010||||101010|101010|101010|||FATAL|E000110|file not found
101010|101010|101010|101010|101010|101010|101010||||101010| 101010 |101010|||SUCCESS||
101010|101010|101010|101010|101010|101010|101010|||101010|101010| 101010 |101010|||FATAL|E10021|file not found

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎06-20-2018 03:09 AM

he meant using the 101010 button in the editor, to mark the sample as code, that prevents special characters from dissapearing etc.

But take a look at my answer below and see if that works.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...