Solved: Need help in regular expression to extract data.

DataOrg · ‎02-14-2020

I need to filter the data from below _raw only the SPLUNKXML =""

_raw

2020-02-13 01:04:18.910, COUNT="863132", URL="http://122.32.10:8080/HP/Material", SAD="GET", SPLUNKXML="<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>", IPCODE="111", Timestamp="2020-02-13 01:00:06.75"

OUtput needed:

    SPLUNKXML= "<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>"

to4kawa · ‎02-14-2020

| makeresults 
| eval _raw="2020-02-13 01:04:18.910, COUNT='863132', URL='http://122.32.10:8080/HP/Material', SAD='GET', SPLUNKXML='<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>', IPCODE='111', Timestamp='2020-02-13 01:00:06.75'" 
| kv
| foreach * [eval <<FIELD>> = trim('<<FIELD>>', "\'")]

@manjunathmeti @premranjithj
If you use spath later, the query is here.

View solution in original post

to4kawa · ‎02-14-2020

| makeresults 
| eval _raw="2020-02-13 01:04:18.910, COUNT='863132', URL='http://122.32.10:8080/HP/Material', SAD='GET', SPLUNKXML='<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>', IPCODE='111', Timestamp='2020-02-13 01:00:06.75'" 
| kv
| foreach * [eval <<FIELD>> = trim('<<FIELD>>', "\'")]

@manjunathmeti @premranjithj
If you use spath later, the query is here.

manjunathmeti · ‎02-14-2020

SPLUNKXML should be extracted automatically by splunk . If not use rex: | rex field=_raw "SPLUNKXML=(?.*), IPCODE"

Sample query:

| makeresults | eval _raw="2020-02-13 01:04:18.910, COUNT='863132', URL='http://122.32.10:8080/HP/Material', SAD='GET', SPLUNKXML='<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>', IPCODE='111', Timestamp='2020-02-13 01:00:06.75'" | rex field=_raw "SPLUNKXML=(?<SPLUNKXML>.*), IPCODE"

Need help in regular expression to extract data.

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Need help in regular expression to extract data.

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...