field extraction

nehamvinchankar · ‎12-04-2023

How to extract field from below event
I want nname,ID,app and Time , here nname is mule_330299_prod_App01_Clt1
ID=91826354-d521-4a01-999f-35953d99b829
app=870a76ea-8033-443c-a312-834363u3d
Time=2023-12-23T14:22:43.025Z

CSV Content:nname,Id,app,Time
mule_330299_prod_App01_Clt1,91826354-d521-4a01-999f-35953d99b829,870a76ea-8033-443c-a312-834363u3d,2023-12-23T14:22:43.025Z
mule_29999_dev_WebApp01_clt1,152g382226vi-44e6-9721-aa7c1ea1ec1b,26228e-28sgsbx-943b-58b20a5c74c6,2024-01-06T13:29:15.762867Z

like this we have multiple lines in one event

yuanliu · ‎12-04-2023

Or, do you mean your events each has its own header like nname,Id,app,Time? If that is the case, use this alternative:

| multikv forceheader=1

ITWhisperer · ‎12-04-2023

Do you mean something like this?

| makeresults
| eval _raw="mule_330299_prod_App01_Clt1,91826354-d521-4a01-999f-35953d99b829,870a76ea-8033-443c-a312-834363u3d,2023-12-23T14:22:43.025Z
mule_29999_dev_WebApp01_clt1,152g382226vi-44e6-9721-aa7c1ea1ec1b,26228e-28sgsbx-943b-58b20a5c74c6,2024-01-06T13:29:15.762867Z"
| multikv noheader=t
| rename Column_1 as nname
| rename Column_2 as ID
| rename Column_3 as app
| rename Column_4 as time

gcusello · ‎12-04-2023

hi @nehamvinchankar ,

please try the following regex:

| rex "^(?<nname>[^,]+),(?<Id>[^,]+),(?<app>[^,]+),(?<Time>.*)"

that you can test at https://regex101.com/r/Qd83YT/1

otherwise, you could use the guided field extraction with separators.

Ciao.

Giuseppe

field extraction

field extraction

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...