Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to extract values from all fields?

senthamilselvan
Engager
‎01-29-2018 03:14 AM

Hi Team,
I want to extract the values like left side(LABEL on of the fileds) all fields and values should take from all the logs.

LABEL = SRC_RSTRT , SRC_RSTRS, GBLRESRM_MONITOR_TI
LABEL:          SRC_RSTRT
IDENTIFIER:     CB4A951F

Date/Time:       Fri Sep 29 16:20:02 EDT 2017
Sequence Number: 192161
Machine Id:      00F9FFDD4C00
Node Id:         nc006qad02
Class:           S
Type:            INFO
WPAR:            Global
Resource Name:   SRC             

LABEL:          SRC_RSTRS
IDENTIFIER:     CB4A951F

Date/Time:       Wed Sep 27 06:51:00 EDT 2017
Sequence Number: 192160
Machine Id:      00F9FFDD4C00
Node Id:         nc006qad02
Class:           S
Type:            INFO
WPAR:            Global
Resource Name:   SRC 
LABEL:          GBLRESRM_MONITOR_TI
IDENTIFIER:     87EB4A70

Date/Time:       Mon Sep 25 02:21:03 EDT 2017
Sequence Number: 192159
Machine Id:      00F9FFDD4C00
Node Id:         nc006qad02
Class:           O
Type:            PERM
WPAR:            Global
Resource Name:   GblResRM
0 Karma
Reply

493669
Super Champion
‎01-29-2018 03:21 AM

hey try this:

<base search>|rex field=_raw "LABEL:\s(?<LABEL>\w+)"

Try this run anywhere search:

|makeresults|eval raw="LABEL: SRC_RSTRT
IDENTIFIER: CB4A951F
Date/Time: Fri Sep 29 16:20:02 EDT 2017
Sequence Number: 192161
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: S
Type: INFO
WPAR: Global
Resource Name: SRC "|rex field=raw "LABEL:\s(?<LABEL>\w+)"

Hope this helps!

0 Karma
Reply

senthamilselvan
Engager
‎01-29-2018 04:18 AM

Hi ,
I tried the below search query but still field is not created
index=test sourcetype=errorlog |rex field=raw "LABEL:\s(?\w+)"

0 Karma
Reply

493669
Super Champion
‎01-29-2018 04:22 AM

instead of raw write _raw

0 Karma
Reply

senthamilselvan
Engager
‎01-29-2018 04:46 AM

same error for that also.
index=test sourcetype=errorlog |rex field=_raw "LABEL:\s(?\w+)"

Error in 'rex' command: Encountered the following error while compiling the regex 'LABEL:\s(?\w+)': Regex: unrecognized character after (? or (?-

0 Karma
Reply

493669
Super Champion
‎01-29-2018 04:55 AM

hey have you tried this:

index=test sourcetype=errorlog |rex field=_raw "LABEL:\s(?<LABEL>\w+)"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...