Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In-built field extraction not working - different delimiters

sunnyleofremont
New Member
‎09-01-2023 12:26 PM

Hello,

I am new to splunk and I trying to extract the fields using built-in feature.  Since the log format contain both the pipe as well as spaces, the in-built field extraction was unable to work. I was trying to extract the field before pipe as "name" , after pipe as "size" , after first space as "value" as shown in below.  I doesn't care about last values like 1547, 1458, 1887.   Any help would be appreciated.

 

Namesizevalue
abc-pendingcardtransfer-networki3077784791
log-incomingtransaction-datainpu378786821
dog-acceptedtransactions-incoming17465466
   

 

 

Sample Logs:

 

9/2/22 11:52:39.005 AM abc-pendingcardtransfer-networki|30 77784791 1547
9/2/22 11:50:39.005 AM log-incomingtransaction-datainpu|3 78786821 1458
9/2/22 11:45:39.005 AM [INFO] 2022-09-01 13:52:38.22 [main] ApacheInactivityMonitor - Number of input traffic is 25
9/2/22 11:44:39.005 AM dog-acceptedtransactions-incoming|1 7465466 1887

 

 

 

Thank You

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎09-05-2023 11:05 PM

@sunnyleofremont - You could use the regex-based field extraction, either REPORT or EXTRACT. And below is the regex you can use for that. For temporary extraction in search, you can also use | rex command with the same regex.

\s+(?<Name>[^\n\s\\|]+)\|(?<size>[^\s\n\r]+)\s+(?<value>[^\s\n\r]+)\s+

https://regex101.com/r/AWNK3i/1 

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-05-2023 11:27 PM

As @VatsalJagani said, you are not limited to using delimiters in Splunk field extraction.  I just posted some screenshots from Splunk Web for a nearly identical data format here: https://community.splunk.com/t5/Splunk-Search/Tempory-output-storage/m-p/656753/highlight/true#M2268...

0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...