Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help to extract field from raw

bhaskar5428
Explorer
‎04-04-2025 04:38 AM

Please find the below attached screenshot and data sample i need to create 5 felids 
problem statement - old splunk query not working as logging pattern got changed

3/28/25
10:04:25.685 PM
 
2025-03-28T22:04:25.685Z INFO 1 --- [ool-1-thread-11] c.d.t.l.s.s.e.e.NoopLoggingEtlEndpoint : Completed generation for [DE, 2025-03-28, LOAN_EVENT_SDP, 1]. Number of records: 186

 

Need below 

 

index=*1644* container_name="ls2-sdp-java" $selected_countries$
| rex field=_raw "country=(?P<country>\w+)"    (DE)
| rex field=_raw "sdpType=(?P<sdpType>\w+)"  (LOAN_EVENT_SDP)
| rex field=_raw "cobDate=(?P<cobDate>\w+)"  (2025-03-28)
| rex field=_raw "record-count: (?P<Recordcount>\w+)" (186)
| rex field=_raw "\[(?<dateTime>.*)\] \{Thread"  (2025-03-28T22:04)
| eval DateTime=strptime(dateTime, "%Y-%m-%dT%H:%M:%S,%N")
| eval CreatedTime=strftime(DateTime, "%H:%M")
| eval CreatedDate=strftime(DateTime, "%Y-%m-%d")

above SPL has old query , can you please help me with new rex pattern to extract these fields 

For clear understanding i have attached required fields in screenshot

 

bhaskar5428_0-1743766654553.png

 

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-04-2025 03:22 PM

Hi @bhaskar5428,

Check out the following:

index=*1644* container_name="ls2-sdp-java" $selected_countries$ 
| rex field=_raw "\[(?<country>[^,]+),\s(?<cobDate>[^,]+),\s(?<sdpType>[^,]+)," 
| rex field=_raw "Number of records:\s*(?<Recordcount>\d+)" 
| rex field=_raw "^(?<dateTime>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z)" 
| eval DateTime=strptime(dateTime, "%Y-%m-%dT%H:%M:%S.%NZ") 
| eval CreatedTime=strftime(DateTime, "%H:%M") 
| eval CreatedDate=strftime(DateTime, "%Y-%m-%d")

Example with makeresults:

| makeresults 
| eval _raw="2025-03-28T22:04:25.685Z INFO 1 --- [ool-1-thread-11] c.d.t.l.s.s.e.e.NoopLoggingEtlEndpoint : Completed generation for [DE, 2025-03-28, LOAN_EVENT_SDP, 1]. Number of records: 186" 
| rex field=_raw "\[(?<country>[^,]+),\s(?<cobDate>[^,]+),\s(?<sdpType>[^,]+)," 
| rex field=_raw "Number of records:\s*(?<Recordcount>\d+)" 
| rex field=_raw "^(?<dateTime>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z)" 
| eval DateTime=strptime(dateTime, "%Y-%m-%dT%H:%M:%S.%NZ") 
| eval CreatedTime=strftime(DateTime, "%H:%M") 
| eval CreatedDate=strftime(DateTime, "%Y-%m-%d") 
| table _raw dateTime country cobDate sdpType Recordcount CreatedTime CreatedDate

 

🌟 Did this answer help you? If so, please consider:

  • Adding kudos to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

bhaskar5428
Explorer
‎04-04-2025 05:22 AM

Not working , But if use single and try for single Country its working 
please help 

bhaskar5428_0-1743769239520.pngbhaskar5428_1-1743769275246.png

also what is use of 

| rex field=_raw "^\S+"

 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2025 05:05 AM

Perhaps this will help.

index=*1644* container_name="ls2-sdp-java" $selected_countries$
| rex field=_raw "for \[(?P<country>\w+),\s*(?P<cobDate>\w+),\s*(?P<sdpType>\w+)"
| rex field=_raw "records: (?P<Recordcount>\w+)"
| rex field=_raw "^(?<dateTime>\S+)"
| eval DateTime=strptime(dateTime, "%Y-%m-%dT%H:%M:%S.%3N%Z")
| eval CreatedTime=strftime(DateTime, "%H:%M")
| eval CreatedDate=strftime(DateTime, "%Y-%m-%d")
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bhaskar5428
Explorer
‎04-04-2025 05:24 AM

Not working , please help 

 

| rex field=_raw "^\S+"

bhaskar5428_0-1743769391319.png

bhaskar5428_1-1743769432164.png

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2025 06:04 AM

Please try my updated query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...