Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field extraction after brackets value

indeed_2000
Motivator
‎04-24-2020 09:50 PM

hi i have log file like below
need to extact the section after first "]" to "[" or "." or ":"

2020-04-24 23:59:59,511 INFO  ABCD.InIT-Service-1234567 [SrvListener] Receive Message[123456789ABCD123E123456789*] from [Service.APP]
2020-04-24 23:59:57,055 INFO  ABCD.InIT-Service-1234567_EFGH.InIT-AppService-5764693 [AbcEndpointManager] Send Message [123456789ABCD123456789123456789*] to A[000] B[0000]
2020-04-24 23:59:59,081 INFO  ABCD.InIT-Host-1234567_EFGH.InIT-Service-1234567 [TopologyProcessorService] Message Processed: A[000] B[0000]
2020-04-24 23:29:59,844 INFO  ABCD.InIT-Service-1234567 [NetworkProcessor] NetworkProcessor Accomplished: A[000] B[0000]
2020-04-24 23:29:59,851 INFO  NAME-1234567 [ExecuteService] CustomeService_clusterCustomeCommand chain was done. Define Parameters[input0='00000',input1='000000']

expected value:

  • Receive Message
  • Send Message
  • Message Processed
  • NetworkProcessor Accomplished
  • CustomeService_clusterCustomeCommand chain was done

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎04-25-2020 01:09 AM

Use rex:

index = INDEX | rex "\]\s(?<message>[\w\s]+)"

Sample query:

| makeresults 
| eval _raw=" _raw
2020-04-24 23:59:59,511 INFO  ABCD.InIT-Service-1234567 [SrvListener] Receive Message[123456789ABCD123E123456789*] from [Service.APP]
2020-04-24 23:59:57,055 INFO  ABCD.InIT-Service-1234567_EFGH.InIT-AppService-5764693 [AbcEndpointManager] Send Message [123456789ABCD123456789123456789*] to A[000] B[0000]
2020-04-24 23:59:59,081 INFO  ABCD.InIT-Host-1234567_EFGH.InIT-Service-1234567 [TopologyProcessorService] Message Processed: A[000] B[0000]
2020-04-24 23:29:59,844 INFO  ABCD.InIT-Service-1234567 [NetworkProcessor] NetworkProcessor Accomplished: A[000] B[0000]
2020-04-24 23:29:59,851 INFO  NAME-1234567 [ExecuteService] CustomeService_clusterCustomeCommand chain was done. Define Parameters[input0='00000',input1='000000']" 
| multikv forceheader=1 
| rex "\]\s(?<message>[\w\s]+)" 
| fields _raw, message

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎04-25-2020 01:09 AM

Use rex:

index = INDEX | rex "\]\s(?<message>[\w\s]+)"

Sample query:

| makeresults 
| eval _raw=" _raw
2020-04-24 23:59:59,511 INFO  ABCD.InIT-Service-1234567 [SrvListener] Receive Message[123456789ABCD123E123456789*] from [Service.APP]
2020-04-24 23:59:57,055 INFO  ABCD.InIT-Service-1234567_EFGH.InIT-AppService-5764693 [AbcEndpointManager] Send Message [123456789ABCD123456789123456789*] to A[000] B[0000]
2020-04-24 23:59:59,081 INFO  ABCD.InIT-Host-1234567_EFGH.InIT-Service-1234567 [TopologyProcessorService] Message Processed: A[000] B[0000]
2020-04-24 23:29:59,844 INFO  ABCD.InIT-Service-1234567 [NetworkProcessor] NetworkProcessor Accomplished: A[000] B[0000]
2020-04-24 23:29:59,851 INFO  NAME-1234567 [ExecuteService] CustomeService_clusterCustomeCommand chain was done. Define Parameters[input0='00000',input1='000000']" 
| multikv forceheader=1 
| rex "\]\s(?<message>[\w\s]+)" 
| fields _raw, message
Reply
Solved! Jump to solution

indeed_2000
Motivator
‎04-25-2020 08:58 AM

work like charm, thank you 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...