Solved: How to use delimiter to filter data from a select...

gcd24967 · ‎08-22-2023

Hi ,

I have my log entries line below:

2023-08-22T10:48:01.340641-07:00 ARC1 (PID:63766948): Archived Log entry 176651 added for T-1.S-31459 ID 0xffffffffadc86430

host = alert1.corp
source = /oracle/diag/rdbms/testprd/TESTPRD1/trace/alert_TESTPRD1.log
sourcetype =alert-logs-oracle

I want to filter the db name from this data which is "testprd" (4th field of Source) and hostname .

Can someone please help me how to use delimiter to filter the db name from source??

bowesmana · ‎08-22-2023

There are a couple of other ways you can do this to expand on @isoutamo reply, one (rex) with a different regex, where you don't always know the parts of the path and one (eval) where you always want the 4th element of the path

| rex field=source "(/[^/]*){3}/(?<db_name>[^/]+)"
| eval db_name=mvindex(split(source, "/"), 4)

View solution in original post

bowesmana · ‎08-22-2023

There are a couple of other ways you can do this to expand on @isoutamo reply, one (rex) with a different regex, where you don't always know the parts of the path and one (eval) where you always want the 4th element of the path

| rex field=source "(/[^/]*){3}/(?<db_name>[^/]+)"
| eval db_name=mvindex(split(source, "/"), 4)

gcd24967 · ‎08-22-2023

Thanks a lot for the help.

It worked as intended.

isoutamo · ‎08-22-2023

Hi

you could try something like

....
| rex field=source "/rdbms/(?<db_name>[^/]+)"

If I understand right you already have hostname in host field?

r. Ismo

How to use delimiter to filter data from a selected field in splunk??

field extraction

regex

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?