Splunk Search

extract a value from raw field

alexanderschlau
Explorer

Hi ,


There is a way to extract a value from field even there is no = between Key and Value? After extracting I want to use them as a search criteria. Unfortunatelly I need to work with data which are not optimized for splunk.

For example : I have the following raw field:

"2020-12-16 13:39:00.7174 INFO 001d1764-80c3-4c35-87c7-ec25382b4328 IM_Contact with SetID Cardlink_DCDOB2012146196-1006 has current Status Completed. ContactID [CO-000085513778], CaseID [CA-000002980184] APOrchestrator.ProcessIncomingMessage => ServiceQueueOrchestrator`2.LogContactStatus => Logger.LogInfo"

 

I want to extract following key / values:

Info = 001d1764-80c3-4c35-87c7-ec25382b4328

SetID = Cardlink_DCDOB2012146196-1006

Status = Completed

ContactID = CO-000085513778

CaseID = CA-000002980184

 

Found some interesting answers but all of them working with real key value pairs (fields) as a basis.

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

That's easy to do with rex.

 

| rex "INFO (?<Info>\S+)"
| rex "SetID (?<SetID>\S+)"
| rex "Status (?<Status>)\w+)"
| rex "ContactID \[(?<ContactID>[^\]]+)"
| rex "CaseID \[(?<CaseID>[^\]]+)"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

alexanderschlau
Explorer

great, so simple and works, thank 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

alexanderschlau
Explorer

I think there is a little change in CaseID and ContactID needed but I got the principle

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's easy to do with rex.

 

| rex "INFO (?<Info>\S+)"
| rex "SetID (?<SetID>\S+)"
| rex "Status (?<Status>)\w+)"
| rex "ContactID \[(?<ContactID>[^\]]+)"
| rex "CaseID \[(?<CaseID>[^\]]+)"

 

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...