Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the field value which has space

Anush
Engager
‎10-28-2020 09:57 PM

Below is the sample field value from the event, 

 sourceServiceName=Endpoint Web analyzedBy=Policy Engine Status=New Success=True

By default, the field value detects only Endpoint and not the full text Endpoint Web

Som I used the below rex command but it didn't work,

rex "sourceServiceName=(?<sourceServiceName>[^\"]+)"    - This one fetches all the text starting from "Endpoint to end of that event" 

Also the value of the field sourceServiceName can be anything, i.e -Endpoint Web or Endpoint Printing Endpoint USB  etc. First word -Endpoint Second word -any can any word

I want to fetch only the value of field serviceSourceName

Can you please help?

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎10-28-2020 11:54 PM

Hi

you could try this

index=_internal
| head 1
| eval _raw = "sourceServiceName=Endpoint Web analyzedBy=Policy Engine Status=New Success=True Some=Other fields"
```Previous was set up the data, next one is the logic```
| rex "sourceServiceName=(?<sourceServiceName>[\w\s]+)\s+\w+="

r. Ismo 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Anush
Engager
‎11-01-2020 02:24 PM

Thanks a lot. It worked

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎10-28-2020 11:54 PM

Hi

you could try this

index=_internal
| head 1
| eval _raw = "sourceServiceName=Endpoint Web analyzedBy=Policy Engine Status=New Success=True Some=Other fields"
```Previous was set up the data, next one is the logic```
| rex "sourceServiceName=(?<sourceServiceName>[\w\s]+)\s+\w+="

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...