Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to extract values from all fields?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract values from all fields?
senthamilselvan
Engager
01-29-2018
03:14 AM
Hi Team,
I want to extract the values like left side(LABEL on of the fileds) all fields and values should take from all the logs.
LABEL = SRC_RSTRT , SRC_RSTRS, GBLRESRM_MONITOR_TI
LABEL: SRC_RSTRT
IDENTIFIER: CB4A951F
Date/Time: Fri Sep 29 16:20:02 EDT 2017
Sequence Number: 192161
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: S
Type: INFO
WPAR: Global
Resource Name: SRC
LABEL: SRC_RSTRS
IDENTIFIER: CB4A951F
Date/Time: Wed Sep 27 06:51:00 EDT 2017
Sequence Number: 192160
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: S
Type: INFO
WPAR: Global
Resource Name: SRC
LABEL: GBLRESRM_MONITOR_TI
IDENTIFIER: 87EB4A70
Date/Time: Mon Sep 25 02:21:03 EDT 2017
Sequence Number: 192159
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: O
Type: PERM
WPAR: Global
Resource Name: GblResRM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
01-29-2018
03:21 AM
hey try this:
<base search>|rex field=_raw "LABEL:\s(?<LABEL>\w+)"
Try this run anywhere search:
|makeresults|eval raw="LABEL: SRC_RSTRT
IDENTIFIER: CB4A951F
Date/Time: Fri Sep 29 16:20:02 EDT 2017
Sequence Number: 192161
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: S
Type: INFO
WPAR: Global
Resource Name: SRC "|rex field=raw "LABEL:\s(?<LABEL>\w+)"
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
senthamilselvan
Engager
01-29-2018
04:18 AM
Hi ,
I tried the below search query but still field is not created
index=test sourcetype=errorlog |rex field=raw "LABEL:\s(?\w+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
01-29-2018
04:22 AM
instead of raw write _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
senthamilselvan
Engager
01-29-2018
04:46 AM
same error for that also.
index=test sourcetype=errorlog |rex field=_raw "LABEL:\s(?\w+)"
Error in 'rex' command: Encountered the following error while compiling the regex 'LABEL:\s(?\w+)': Regex: unrecognized character after (? or (?-
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
01-29-2018
04:55 AM
hey have you tried this:
index=test sourcetype=errorlog |rex field=_raw "LABEL:\s(?<LABEL>\w+)"
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
