Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In-built field extraction not working - different delimiters

sunnyleofremont
New Member
‎09-01-2023 12:26 PM

Hello,

I am new to splunk and I trying to extract the fields using built-in feature.  Since the log format contain both the pipe as well as spaces, the in-built field extraction was unable to work. I was trying to extract the field before pipe as "name" , after pipe as "size" , after first space as "value" as shown in below.  I doesn't care about last values like 1547, 1458, 1887.   Any help would be appreciated.

 

Namesizevalue
abc-pendingcardtransfer-networki3077784791
log-incomingtransaction-datainpu378786821
dog-acceptedtransactions-incoming17465466
   

 

 

Sample Logs:

 

9/2/22 11:52:39.005 AM abc-pendingcardtransfer-networki|30 77784791 1547
9/2/22 11:50:39.005 AM log-incomingtransaction-datainpu|3 78786821 1458
9/2/22 11:45:39.005 AM [INFO] 2022-09-01 13:52:38.22 [main] ApacheInactivityMonitor - Number of input traffic is 25
9/2/22 11:44:39.005 AM dog-acceptedtransactions-incoming|1 7465466 1887

 

 

 

Thank You

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎09-05-2023 11:05 PM

@sunnyleofremont - You could use the regex-based field extraction, either REPORT or EXTRACT. And below is the regex you can use for that. For temporary extraction in search, you can also use | rex command with the same regex.

\s+(?<Name>[^\n\s\\|]+)\|(?<size>[^\s\n\r]+)\s+(?<value>[^\s\n\r]+)\s+

https://regex101.com/r/AWNK3i/1 

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-05-2023 11:27 PM

As @VatsalJagani said, you are not limited to using delimiters in Splunk field extraction.  I just posted some screenshots from Splunk Web for a nearly identical data format here: https://community.splunk.com/t5/Splunk-Search/Tempory-output-storage/m-p/656753/highlight/true#M2268...

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...