Solved: Need help in regular expression to extract data.

DataOrg · ‎02-14-2020

I need to filter the data from below _raw only the SPLUNKXML =""

_raw

2020-02-13 01:04:18.910, COUNT="863132", URL="http://122.32.10:8080/HP/Material", SAD="GET", SPLUNKXML="<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>", IPCODE="111", Timestamp="2020-02-13 01:00:06.75"

OUtput needed:

    SPLUNKXML= "<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>"

to4kawa · ‎02-14-2020

| makeresults 
| eval _raw="2020-02-13 01:04:18.910, COUNT='863132', URL='http://122.32.10:8080/HP/Material', SAD='GET', SPLUNKXML='<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>', IPCODE='111', Timestamp='2020-02-13 01:00:06.75'" 
| kv
| foreach * [eval <<FIELD>> = trim('<<FIELD>>', "\'")]

@manjunathmeti @premranjithj
If you use spath later, the query is here.

View solution in original post

to4kawa · ‎02-14-2020

| makeresults 
| eval _raw="2020-02-13 01:04:18.910, COUNT='863132', URL='http://122.32.10:8080/HP/Material', SAD='GET', SPLUNKXML='<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>', IPCODE='111', Timestamp='2020-02-13 01:00:06.75'" 
| kv
| foreach * [eval <<FIELD>> = trim('<<FIELD>>', "\'")]

@manjunathmeti @premranjithj
If you use spath later, the query is here.

manjunathmeti · ‎02-14-2020

SPLUNKXML should be extracted automatically by splunk . If not use rex: | rex field=_raw "SPLUNKXML=(?.*), IPCODE"

Sample query:

| makeresults | eval _raw="2020-02-13 01:04:18.910, COUNT='863132', URL='http://122.32.10:8080/HP/Material', SAD='GET', SPLUNKXML='<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>', IPCODE='111', Timestamp='2020-02-13 01:00:06.75'" | rex field=_raw "SPLUNKXML=(?<SPLUNKXML>.*), IPCODE"

Need help in regular expression to extract data.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation