Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk multiple field extraction

ppatkar
Path Finder
‎02-19-2021 04:42 AM

 

 I have the below Splunk Event & need to extract multiple fields from the same :

 

[TIMESTAMP=2021-02-19 12:16:30.684 UTC] [RUN_ID=] [TRACE_ID=] [STEP=End Processing] [LINE_NO=701] [LOG_LEVEL=TRACE] [MESSAGE=[ppv] [insert] Query completed , total 11 ms: [10 values] INSERT INTO errors (job,run,timestamp,count,alert,error,code,message,completets,active) VALUES (?,?,?,?,?,?,?,?,?,?); [job:'endcustomer--prod', run:'4569876', timestamp:1613736990530, count:200, alert:'failed after launch', error:'', code:'E302: Batch failed', message:'', completets:'', active:false]]

 

Expected Table Output :

jobruncode
endcustomer--prod4569876E302: Batch failed

 

I was able to pick some field like :

run\:\'(?<run>\w+)'

https://regex101.com/r/q7NqQb/1

However, unable to extract all the three fields above. Any help is appreciated.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-19-2021 04:54 AM

hi @ppatkar,

Use rex command twice:

| rex "job:'(?<job>[^']+)',\srun:'(?<run>[^']+)"
| rex "code:'(?<code>[^']+)'"
| table job, run, code

 

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

jotne
Builder
‎02-24-2021 01:15 AM

All in on rex

 

Your search
| rex "job:'(?<job>[^']+)'. run:'(?<run>[^']+)'.*? code:'(?<code>[^']+)'"
| table job run code

 

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-19-2021 04:54 AM

hi @ppatkar,

Use rex command twice:

| rex "job:'(?<job>[^']+)',\srun:'(?<run>[^']+)"
| rex "code:'(?<code>[^']+)'"
| table job, run, code

 

If this reply helps you, an upvote/like would be appreciated.

Reply
Solved! Jump to solution

ppatkar
Path Finder
‎02-23-2021 02:22 AM

Hi @manjunathmeti 

I have one followup to the earlier , in certain events I see truncated output like below :

 

[TIMESTAMP=2021-02-19 12:16:30.684 UTC] [RUN_ID=] [TRACE_ID=] [STEP=End Processing] [LINE_NO=701] [LOG_LEVEL=TRACE] [MESSAGE=[ppv] [insert] Query completed , total 11 ms: [10 values] INSERT INTO errors (job,run,timestamp,count,alert,error,code,message,completets,active) VALUES (?,?,?,?,?,?,?,?,?,?); [job:'endcustomer--pr..[truncated output], run:4569876, timestamp:1613736990530, count:200, alert:'failed after launch', error:'', code:'E302: Batch failed', message:'', completets:'', active:false]]

 

This is causing my job to get derived as null . Can you please advise ?

 

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-23-2021 08:46 PM

Try this:

| rex "job:'?(?<job>[^']+)'?,\srun:'?(?<run>\d+)'?"
| rex "code:'(?<code>[^']+)'"
| table job, run, code

 

 If this reply helps you, an upvote/like would be appreciated.

Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! &#x1f389; ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...