Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Searches separated by Colon

ekucevic
Loves-to-Learn Everything
‎07-06-2021 09:02 AM

I source database that displays all of the info i need that is separated by colon. Example "ilruPartNumber":"12345"., "lruSoftwareVersion":"7.10.0.74". All of the info i need is separated by an " : "


What i want is to separate the search to list the Name then Number. Example ilruPartNumber = 12345.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2021 09:11 AM 
| rex "\"(?<key>[^\"]+)\":\"(?<value>[^\"]+)\""
| eval {key}=value
0 Karma
Reply

ekucevic
Loves-to-Learn Everything
‎07-06-2021 02:11 PM
Spoiler
I am a beginner here so alittle bit of a walk through could be necessary. 
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2021 03:13 PM

The rex command (without a field argument) will operate on the _raw field of each event. The regex used extracts the part before the colon into a field called key and the part afterwards into a field called value. The eval command creates a field using the name in the key field and with the value from the value field. This is the basis for extracting the field. If you want a more precise version of the command, you should share some anonymised events, that you have already retrieved with your search, so the command can be tailored to your specific case.

0 Karma
Reply

ekucevic
Loves-to-Learn Everything
‎07-08-2021 09:41 AM

Hi, Thanks for your reply, I think my issue is due to quotes within quotes? No sure. Below is a sample of my search. Basically everything in red is a sample what i am searching for. 

 

[{"lruName":"Modem","lruType":"MBR","lruMacAddress":"00:A0:BC:72:6F:44","lruModelNumber":"MBR-5500","lruSerialNumber":"C80016506037","lruPartNumber":"1244523","lruSoftwareVersion":"M3-1.3.5.2.89_2021.06.18","lruConfigVersion":"7.10.0.38"

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-08-2021 11:01 AM

This looks like JSON, perhaps you should investigate spath as a way to extract the fields

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...