Splunk Search

extract a value from raw field

alexanderschlau
Explorer

Hi ,


There is a way to extract a value from field even there is no = between Key and Value? After extracting I want to use them as a search criteria. Unfortunatelly I need to work with data which are not optimized for splunk.

For example : I have the following raw field:

"2020-12-16 13:39:00.7174 INFO 001d1764-80c3-4c35-87c7-ec25382b4328 IM_Contact with SetID Cardlink_DCDOB2012146196-1006 has current Status Completed. ContactID [CO-000085513778], CaseID [CA-000002980184] APOrchestrator.ProcessIncomingMessage => ServiceQueueOrchestrator`2.LogContactStatus => Logger.LogInfo"

 

I want to extract following key / values:

Info = 001d1764-80c3-4c35-87c7-ec25382b4328

SetID = Cardlink_DCDOB2012146196-1006

Status = Completed

ContactID = CO-000085513778

CaseID = CA-000002980184

 

Found some interesting answers but all of them working with real key value pairs (fields) as a basis.

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

That's easy to do with rex.

 

| rex "INFO (?<Info>\S+)"
| rex "SetID (?<SetID>\S+)"
| rex "Status (?<Status>)\w+)"
| rex "ContactID \[(?<ContactID>[^\]]+)"
| rex "CaseID \[(?<CaseID>[^\]]+)"

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

alexanderschlau
Explorer

great, so simple and works, thank 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

alexanderschlau
Explorer

I think there is a little change in CaseID and ContactID needed but I got the principle

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's easy to do with rex.

 

| rex "INFO (?<Info>\S+)"
| rex "SetID (?<SetID>\S+)"
| rex "Status (?<Status>)\w+)"
| rex "ContactID \[(?<ContactID>[^\]]+)"
| rex "CaseID \[(?<CaseID>[^\]]+)"

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post