Re: Splunk Search content for a particular string

kaushal21rajput · ‎07-18-2018

Hi Team,

I have search in search head which gives output like in snapshot.
Now i want to assign a new field to client no like client 26 , client 31 . All these (client 26, client 31 etc) should have a particular field.
I have tried to used eval command but did not get exact function to be used.
Please help me . Snapshot is attached. alt text

FrankVl · ‎07-19-2018

Assuming you want to extract the number into a field called client, you can do that using the rex command:

| rex "client\s+(?<client>\d+)\s+connected"

ddrillic · ‎07-19-2018

I think Frank meant - client\s+(?<client>\d+)\s+connected

FrankVl · ‎07-19-2018

Oh, yeah, sorry, forgot to post it as code, which makes the triangular brackets disappear. Fixed it 🙂

ddrillic · ‎07-19-2018

Fun stuff ; -)

kaushal21rajput · ‎07-24-2018

Hi Ddrillic/FrankVI ,

I want to assign output value like "client 26 , client 36" to an another field .

These values should be visible in interesting fields.

That is my question.

Splunk Search content for a particular string

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

Splunk Search content for a particular string

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0