- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to extract values "good" and "bad" from my...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract values "good" and "bad" from my sample data into a new field named STATUS?
Hi
I have a log file in which all the events has this below lines as common;
04:03:28 04/12/2016 good 201961028 1456 - Validation_Competed - ProductCode_3446565 0.133 sec, 1 row, 0 5:75127 200
04:03:32 04/12/2016 bad 201961028 1456 - Validation_Competed - ProductCode_3446569 0.133 sec, 1 row, 0 5:75127 200
Here in the above 2 events we have the words "good" and "bad" and I need to a create a new field by name "STATUS" for them which should have its values as either "good" or "bad".
Can some one please advise me the right REX command to execute here?
Thanks
Roopesh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some readings
Field Extraction (saved) from Splunk Web
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-timefieldextractions
Field Extraction from conf files editing
http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Aboutfields#Configure_field_extractions_...
Interactive field extraction from Search page
http://docs.splunk.com/Documentation/Splunk/6.1.8/Knowledge/ExtractfieldsinteractivelywithIFX
Inline field extractions using rex
http://docs.splunk.com/Documentation/Splunk/latest/Search/Extractfieldswithsearchcommands
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a simple log format and rex should be fairly easy to extract the field you are interested and as suggested above.
If you not comfortable with rex , I would suggest to use the splunk field extractor utility and create the required field first during search time and then you can use the newly created field in your search .
See below documentation for more details .
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the simplest answer of course is ... | rex "(?<STATUS>good|bad)" this assumes however that neither good nor bad show up in your events other than the status field and your status field only takes the values of good and bad.
You could anchor the regular expression based on the date format outside of the capturing group. You'd want to play with samples of your data and a site like regex101.com to develop expressions. Eventually you could build a field extraction for your sourcetype and not need the Rex command in your search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
... | rex "(?<STATUS>good|bad)" will help you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This regex should work for you : \d\s(\w+)\s\d
Hope this is what you are looking for. 🙂
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
