Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field extraction help

a212830
Champion
‎05-22-2012 01:02 PM

Hi,

I'm a relative newbie (power noob?) who is having issues with extracting fields from a multi-line event. A sample is below. I need to parse out each one into field. I tried grabbing the beginning of the field to the end, but I'm not getting anything. Any ideas? -- \tTCPIP\s(?.+)%
(Not looking for each one - figured if I get one correct, the others would be similiar...)

StartEvent Tue May 22 15:25:33 EDT 2012 ***
CPU 0 17%
Object Store 10%
HTTP and FTP 2%
Access Logging 2%
Miscellaneous 1%
CPU 1 41%
TCPIP 18%
HTTP and FTP 16%
Policy evaluation - HTTP 5%
DNS service 1%

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎05-22-2012 03:54 PM

Assuming you have the line breaking right for the whole event...this works for me to extract the TCPIP %age:

Updated: 

TCPIP\\s+(?<tcpip>.+)%

Not sure what you have at the beginning of yours with '--t'

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎05-22-2012 03:54 PM

Assuming you have the line breaking right for the whole event...this works for me to extract the TCPIP %age:

Updated: 

TCPIP\\s+(?<tcpip>.+)%

Not sure what you have at the beginning of yours with '--t'

Reply
Solved! Jump to solution

a212830
Champion
‎05-29-2012 10:06 AM

Thanks to you both. Just started reading my "Mastering Regular Expressions" book!

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎05-29-2012 08:11 AM

TCPIP\s+(?<tcpip>\S+)%

Reply
Solved! Jump to solution

a212830
Champion
‎05-29-2012 08:04 AM

this grabs all the whitespace that is between TCPIP and the end value. Is there anyway to strip out that whitespace? I want to go from TCPIP to the %, and grab the value just before the %.

0 Karma
Reply
Get Updates on the Splunk Community!

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives

Splunk Observability Cloud continues to evolve, empowering engineering and operations teams with advanced ...