Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In-built field extraction not working - different delimiters

sunnyleofremont
New Member
‎09-01-2023 12:26 PM

Hello,

I am new to splunk and I trying to extract the fields using built-in feature.  Since the log format contain both the pipe as well as spaces, the in-built field extraction was unable to work. I was trying to extract the field before pipe as "name" , after pipe as "size" , after first space as "value" as shown in below.  I doesn't care about last values like 1547, 1458, 1887.   Any help would be appreciated.

 

Namesizevalue
abc-pendingcardtransfer-networki3077784791
log-incomingtransaction-datainpu378786821
dog-acceptedtransactions-incoming17465466
   

 

 

Sample Logs:

 

9/2/22 11:52:39.005 AM abc-pendingcardtransfer-networki|30 77784791 1547
9/2/22 11:50:39.005 AM log-incomingtransaction-datainpu|3 78786821 1458
9/2/22 11:45:39.005 AM [INFO] 2022-09-01 13:52:38.22 [main] ApacheInactivityMonitor - Number of input traffic is 25
9/2/22 11:44:39.005 AM dog-acceptedtransactions-incoming|1 7465466 1887

 

 

 

Thank You

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎09-05-2023 11:05 PM

@sunnyleofremont - You could use the regex-based field extraction, either REPORT or EXTRACT. And below is the regex you can use for that. For temporary extraction in search, you can also use | rex command with the same regex.

\s+(?<Name>[^\n\s\\|]+)\|(?<size>[^\s\n\r]+)\s+(?<value>[^\s\n\r]+)\s+

https://regex101.com/r/AWNK3i/1 

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-05-2023 11:27 PM

As @VatsalJagani said, you are not limited to using delimiters in Splunk field extraction.  I just posted some screenshots from Splunk Web for a nearly identical data format here: https://community.splunk.com/t5/Splunk-Search/Tempory-output-storage/m-p/656753/highlight/true#M2268...

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...