Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract values from all fields?

senthamilselvan
Engager
‎01-29-2018 03:14 AM

Hi Team,
I want to extract the values like left side(LABEL on of the fileds) all fields and values should take from all the logs.

LABEL = SRC_RSTRT , SRC_RSTRS, GBLRESRM_MONITOR_TI
LABEL:          SRC_RSTRT
IDENTIFIER:     CB4A951F

Date/Time:       Fri Sep 29 16:20:02 EDT 2017
Sequence Number: 192161
Machine Id:      00F9FFDD4C00
Node Id:         nc006qad02
Class:           S
Type:            INFO
WPAR:            Global
Resource Name:   SRC             

LABEL:          SRC_RSTRS
IDENTIFIER:     CB4A951F

Date/Time:       Wed Sep 27 06:51:00 EDT 2017
Sequence Number: 192160
Machine Id:      00F9FFDD4C00
Node Id:         nc006qad02
Class:           S
Type:            INFO
WPAR:            Global
Resource Name:   SRC 
LABEL:          GBLRESRM_MONITOR_TI
IDENTIFIER:     87EB4A70

Date/Time:       Mon Sep 25 02:21:03 EDT 2017
Sequence Number: 192159
Machine Id:      00F9FFDD4C00
Node Id:         nc006qad02
Class:           O
Type:            PERM
WPAR:            Global
Resource Name:   GblResRM
0 Karma
Reply

493669
Super Champion
‎01-29-2018 03:21 AM

hey try this:

<base search>|rex field=_raw "LABEL:\s(?<LABEL>\w+)"

Try this run anywhere search:

|makeresults|eval raw="LABEL: SRC_RSTRT
IDENTIFIER: CB4A951F
Date/Time: Fri Sep 29 16:20:02 EDT 2017
Sequence Number: 192161
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: S
Type: INFO
WPAR: Global
Resource Name: SRC "|rex field=raw "LABEL:\s(?<LABEL>\w+)"

Hope this helps!

0 Karma
Reply

senthamilselvan
Engager
‎01-29-2018 04:18 AM

Hi ,
I tried the below search query but still field is not created
index=test sourcetype=errorlog |rex field=raw "LABEL:\s(?\w+)"

0 Karma
Reply

493669
Super Champion
‎01-29-2018 04:22 AM

instead of raw write _raw

0 Karma
Reply

senthamilselvan
Engager
‎01-29-2018 04:46 AM

same error for that also.
index=test sourcetype=errorlog |rex field=_raw "LABEL:\s(?\w+)"

Error in 'rex' command: Encountered the following error while compiling the regex 'LABEL:\s(?\w+)': Regex: unrecognized character after (? or (?-

0 Karma
Reply

493669
Super Champion
‎01-29-2018 04:55 AM

hey have you tried this:

index=test sourcetype=errorlog |rex field=_raw "LABEL:\s(?<LABEL>\w+)"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...