Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract values from all fields?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract values from all fields?
senthamilselvan
Engager
01-29-2018
03:14 AM
Hi Team,
I want to extract the values like left side(LABEL on of the fileds) all fields and values should take from all the logs.
LABEL = SRC_RSTRT , SRC_RSTRS, GBLRESRM_MONITOR_TI
LABEL: SRC_RSTRT
IDENTIFIER: CB4A951F
Date/Time: Fri Sep 29 16:20:02 EDT 2017
Sequence Number: 192161
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: S
Type: INFO
WPAR: Global
Resource Name: SRC
LABEL: SRC_RSTRS
IDENTIFIER: CB4A951F
Date/Time: Wed Sep 27 06:51:00 EDT 2017
Sequence Number: 192160
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: S
Type: INFO
WPAR: Global
Resource Name: SRC
LABEL: GBLRESRM_MONITOR_TI
IDENTIFIER: 87EB4A70
Date/Time: Mon Sep 25 02:21:03 EDT 2017
Sequence Number: 192159
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: O
Type: PERM
WPAR: Global
Resource Name: GblResRM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
01-29-2018
03:21 AM
hey try this:
<base search>|rex field=_raw "LABEL:\s(?<LABEL>\w+)"
Try this run anywhere search:
|makeresults|eval raw="LABEL: SRC_RSTRT
IDENTIFIER: CB4A951F
Date/Time: Fri Sep 29 16:20:02 EDT 2017
Sequence Number: 192161
Machine Id: 00F9FFDD4C00
Node Id: nc006qad02
Class: S
Type: INFO
WPAR: Global
Resource Name: SRC "|rex field=raw "LABEL:\s(?<LABEL>\w+)"
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
senthamilselvan
Engager
01-29-2018
04:18 AM
Hi ,
I tried the below search query but still field is not created
index=test sourcetype=errorlog |rex field=raw "LABEL:\s(?\w+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
01-29-2018
04:22 AM
instead of raw write _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
senthamilselvan
Engager
01-29-2018
04:46 AM
same error for that also.
index=test sourcetype=errorlog |rex field=_raw "LABEL:\s(?\w+)"
Error in 'rex' command: Encountered the following error while compiling the regex 'LABEL:\s(?\w+)': Regex: unrecognized character after (? or (?-
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
01-29-2018
04:55 AM
hey have you tried this:
index=test sourcetype=errorlog |rex field=_raw "LABEL:\s(?<LABEL>\w+)"
Get Updates on the Splunk Community!
Index This | Why did the turkey cross the road?
November 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Feel the Splunk Love: Real Stories from Real Customers
Hello Splunk Community,
What’s the best part of hearing how our customers use Splunk? Easy: the positive ...
