Splunk Search

I have an index searching with event and getting one line string, I need to display it as 2 fields using Regex or rex

sumandevops
Engager

Example:

My search is 

index=* source=*xyz*

I am getting an event with plenty of lines in string format

I want to display 2 fields out of it as the example below:

[2021--2-12][info][xyz][empid=12345][cliner=123]....and so on... and empuniqid=123%abcd ..and so on...

From this I want display 2 fields empid and empuniqid

 

Any suggestions?

Thanks

 

 

 

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
Ultra Champion

If you only want these fields, just put them on a table command

| rex "empid=(?<empid>[^\]]+)"
| rex "empuniqid=(?<empuniqid>[^%]+)"
| table empid empuniqid

If you only want this to work if both these fields are in the _raw data, join the rex together

| rex "empid=(?<empid>[^\]]+).*empuniqid=(?<empuniqid>[^%]+)"
| table empid empuniqid

View solution in original post

0 Karma

ITWhisperer
Ultra Champion
Spoiler
| rex "empid=(?<empid>[^\]]+)"
| rex "empuniqid=(?<empuniqid>[^%]+)"
0 Karma

sumandevops
Engager

Not working with this solution

0 Karma

ITWhisperer
Ultra Champion

In what way does it not work?

0 Karma

sumandevops
Engager

@ITWhisperer

For this solution 

| rex "empid=(?<empid>[^\]]+)"
| rex "empuniqid=(?<empuniqid>[^%]+)"

 

0 Karma

ITWhisperer
Ultra Champion

This solution assumes the data is in the _raw field and that empid is terminated by ] and empuniqid is terminated by %. If these are not the terminators, you can adjust the rex appropriately. If this still doesn't work, please be more specific about what exactly you are trying to extract from the data.

0 Karma

sumandevops
Engager

index=* source=*xyz*

I am getting an event with plenty of lines in one event string format

I want to display 2 fields out of it as the example below:

@ITWhisperer 

[2021--2-12][info][xyz][empid=12345][cliner=123]....and so on... and empuniqid=123%abcd ..and so on..

 

If it is empleid and empuniqid are in single string and I want to delete all the data except 12345 and 123.

 

The expected output should be:

empleid.        empuniqid

12345               123

Tags (1)
0 Karma

ITWhisperer
Ultra Champion

If you only want these fields, just put them on a table command

| rex "empid=(?<empid>[^\]]+)"
| rex "empuniqid=(?<empuniqid>[^%]+)"
| table empid empuniqid

If you only want this to work if both these fields are in the _raw data, join the rex together

| rex "empid=(?<empid>[^\]]+).*empuniqid=(?<empuniqid>[^%]+)"
| table empid empuniqid

View solution in original post

0 Karma

sumandevops
Engager

@ITWhisperer the first part from 

| rex "empid=(?<empid>[^\]]+).*empuniqid=(?<empuniqid>[^%]+)"
| table empid empuniqid

I mean the empid is able to fetch but the empuniqid is not actually for some fields there is no %, I want the data from the raw data from the middle and there is no delimiter  ;

Please refer the below example for more understanding :

[2021--2-12][info][xyz][empid=12345][cliner=123]....and so on... and empuniqid=123%abcd ..and so on.

and some times my data varies to

[2021--2-12][info][xyz][empid=12345][cliner=123]....and so on... and empuniqid=12345678 ..and so on.

I want 1234 from second  line and 123 from first line, 

Thank you so much for you help 

Tags (1)
0 Karma

ITWhisperer
Ultra Champion

How do you know how much of the empuniqid you want? If there is no delimiter, is it up to four numbers from the beginning of the id? Or something else?

| rex "empid=(?<empid>[^\]]+).*empuniqid=(?<empuniqid>\d{1,4})"
| table empid empuniqid
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!