Re: How to fetch the values from log using regular...

aqaadi · ‎07-23-2019

Hi Team,

Need your help on below search:

I'm spitting something like this in the log:

My Test Data|My Test ID|My Case Status|My verification code|My Comments on case

The log has the data similar to above format delimited by pipe "|"

I have around 8 fields in this way and I want to extract them in a table format and send the output to a service.

Can you help me achieve it?

aqaadi · ‎07-23-2019

I tried the regex expression regex _raw=(ML\D{17})|(\D{3}\d{6}-\d{6}) and it worked. However i see entire log snippet is being returned instead of just the data present in regex expression.

Any idea how to achieve this?

vnravikumar · ‎07-23-2019

Hi

Try like

| makeresults 
| eval test="aaa|bbb|ccc|ddd|eee" 
| eval result=split(test,"|") 
| eval My_Test_Data=mvindex(result,0),My_Test_ID=mvindex(result,1),My_Case_Status=mvindex(result,2),My_verification_code=mvindex(result,3),My_Comments_on_case=mvindex(result,4) 
| table My_Test_Data My_Test_ID My_Case_Status My_verification_code My_Comments_on_case

aqaadi · ‎07-24-2019

This worked thanks

aqaadi · ‎07-23-2019

what should be the value of makeresults here ?

aqaadi · ‎07-23-2019

thanks let me try it.
How do i passs the log snippet at runtime to test variable?

How to fetch the values from log using regular expression?

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?

How to fetch the values from log using regular expression?

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar