Solved: How to use the field in search query EXTRACTED usi...

rangineniarunku · ‎09-20-2017

I have a field named "content" with multiple values to it as follows
content=value.deva
content=value.devb
" =value.devc ......
I have written a rex expression in my search query .........| rex field=Name ".(?.*)" to extract the Environment from the field content . Now I want to get the values in my result only for Environment=deva, how can I use the field Environment in my query?
I tried this way but it did not work ".........| rex field=content ".(?.)" | Environment=deva "

Can someone help me with this?

DalJeanis · ‎09-20-2017

You are looking for the | where command.

| where Environment="myvalue"

View solution in original post

DalJeanis · ‎09-20-2017

You are looking for the | where command.

| where Environment="myvalue"

rangineniarunku · ‎09-20-2017

It worked!!!

How to use the field in search query EXTRACTED using REX command

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

How to use the field in search query EXTRACTED using REX command

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey