Splunk Search

How to write Splunk query to extract a field from raw data?

rajs115
Path Finder

Hi,

  I am trying to find a query to extract specific code from the raw splunk data. Below is the raw content.

raw:

[demo] FATAL com.test.data - ***** Major issue error: xyz: Completion Code '1', Reason '111'

 

I need to extract the data "Major issue error:xyz". Please help to me extract it.

 

Thanks,

Raj.

Labels (4)
0 Karma
1 Solution

LRF
Path Finder

Hi @rajs115 ,

Not knowing how the complete patterns of the reported logs is, the following regex can be used as a template:

 

<your base search here> |rex field=_raw "(?<majorIssue>Major issue error:.*):\s"

 

 regex will be applied on the _raw field to capture everything specified in the capturing group and will be extracted in a new field called majorIssue

Sample Result:

_raw_timemajorIssue
[demo] FATAL com.test.data - ***** Major issue error: xyz: Completion Code '1', Reason '111'2023-03-29 19:40:49Major issue error: xyz

 

Sample Spl query:

|makeresults |eval _raw="[demo] FATAL com.test.data - ***** Major issue error: xyz: Completion Code '1', Reason '111'" |rex field=_raw "(?<majorIssue>Major issue error:.*):\s"

 

Hope this will help you, have a nice day!

Fabrizio 

View solution in original post

0 Karma

LRF
Path Finder

Hi @rajs115 ,

Not knowing how the complete patterns of the reported logs is, the following regex can be used as a template:

 

<your base search here> |rex field=_raw "(?<majorIssue>Major issue error:.*):\s"

 

 regex will be applied on the _raw field to capture everything specified in the capturing group and will be extracted in a new field called majorIssue

Sample Result:

_raw_timemajorIssue
[demo] FATAL com.test.data - ***** Major issue error: xyz: Completion Code '1', Reason '111'2023-03-29 19:40:49Major issue error: xyz

 

Sample Spl query:

|makeresults |eval _raw="[demo] FATAL com.test.data - ***** Major issue error: xyz: Completion Code '1', Reason '111'" |rex field=_raw "(?<majorIssue>Major issue error:.*):\s"

 

Hope this will help you, have a nice day!

Fabrizio 

0 Karma

rajs115
Path Finder

hi @LRF , thanks for your response. it worked

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...