Re: Splunk Search content for a particular string

kaushal21rajput · ‎07-18-2018

Hi Team,

I have search in search head which gives output like in snapshot.
Now i want to assign a new field to client no like client 26 , client 31 . All these (client 26, client 31 etc) should have a particular field.
I have tried to used eval command but did not get exact function to be used.
Please help me . Snapshot is attached.

FrankVl · ‎07-19-2018

Assuming you want to extract the number into a field called client, you can do that using the rex command:

| rex "client\s+(?<client>\d+)\s+connected"

ddrillic · ‎07-19-2018

I think Frank meant - client\s+(?<client>\d+)\s+connected

FrankVl · ‎07-19-2018

Oh, yeah, sorry, forgot to post it as code, which makes the triangular brackets disappear. Fixed it 🙂

ddrillic · ‎07-19-2018

Fun stuff ; -)

kaushal21rajput · ‎07-24-2018

Hi Ddrillic/FrankVI ,

I want to assign output value like "client 26 , client 36" to an another field .

These values should be visible in interesting fields.

That is my question.

Splunk Search content for a particular string

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation