Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to write Splunk query to extract a field from raw data?

rajs115
Path Finder
‎03-29-2023 11:30 AM

Hi,

  I am trying to find a query to extract specific code from the raw splunk data. Below is the raw content.

raw:

[demo] FATAL com.test.data - ***** Major issue error: xyz: Completion Code '1', Reason '111'

 

I need to extract the data "Major issue error:xyz". Please help to me extract it.

 

Thanks,

Raj.

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

LRF
Path Finder
‎03-29-2023 12:46 PM

Hi @rajs115 ,

Not knowing how the complete patterns of the reported logs is, the following regex can be used as a template:

 

<your base search here> |rex field=_raw "(?<majorIssue>Major issue error:.*):\s"

 

 regex will be applied on the _raw field to capture everything specified in the capturing group and will be extracted in a new field called majorIssue

Sample Result:

_raw_timemajorIssue
[demo] FATAL com.test.data - ***** Major issue error: xyz: Completion Code '1', Reason '111'2023-03-29 19:40:49Major issue error: xyz

 

Sample Spl query:

|makeresults |eval _raw="[demo] FATAL com.test.data - ***** Major issue error: xyz: Completion Code '1', Reason '111'" |rex field=_raw "(?<majorIssue>Major issue error:.*):\s"

 

Hope this will help you, have a nice day!

Fabrizio 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

LRF
Path Finder
‎03-29-2023 12:46 PM

Hi @rajs115 ,

Not knowing how the complete patterns of the reported logs is, the following regex can be used as a template:

 

<your base search here> |rex field=_raw "(?<majorIssue>Major issue error:.*):\s"

 

 regex will be applied on the _raw field to capture everything specified in the capturing group and will be extracted in a new field called majorIssue

Sample Result:

_raw_timemajorIssue
[demo] FATAL com.test.data - ***** Major issue error: xyz: Completion Code '1', Reason '111'2023-03-29 19:40:49Major issue error: xyz

 

Sample Spl query:

|makeresults |eval _raw="[demo] FATAL com.test.data - ***** Major issue error: xyz: Completion Code '1', Reason '111'" |rex field=_raw "(?<majorIssue>Major issue error:.*):\s"

 

Hope this will help you, have a nice day!

Fabrizio 

0 Karma
Reply
Solved! Jump to solution

rajs115
Path Finder
‎03-30-2023 09:33 AM

hi @LRF , thanks for your response. it worked

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...