Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extract fields from a sentence

newbiesplunk
Path Finder
‎09-26-2014 11:23 PM

Hi,
I had the following sentence and wish to extract fields as follows:

event Row: 1234, tp1, 314242, 1, 2014-09-27 12:00:19.0, track, 55444, test

Below is the fields to extract from the above event.

Key      Value
S_ID     1234
type     tp1
B_ID     314242
mode   1
B_date  2014-09-27 12:00:19.0
name    track
c_ID      55444
c_name test

How to go abt extracting the fields in the most simplest way? thks

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎09-27-2014 06:59 AM

Do it in the form of a REPORT in props/transforms.

props.conf

[your_sourcetype]
REPORT-blah = get_my_fields

transforms.conf

[get_my_fields]
DELIMS = ","
FIELDS = S_ID, type, B_ID, mode, B_date, name, c_ID, c_name

/K

0 Karma
Reply

somesoni2
Revered Legend
‎09-27-2014 12:26 AM

Try this

Your base search | rex "(?<S_ID>.*),(?<type>.*),(?<B_ID>.*),(?<mode>.*),(?<B_date>.*),(?<name>.*),(?<C_ID>.*),(?<C_name>.*)"
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...