field extraction

dasari · ‎10-09-2012

I am able to execute the below search command using rex and retrieve the output successfully

index=xyz | rex field=_raw "queue[\s=]'(?.*)'([\s:]|$)" | search q1='test.queue'

however when i am creating a filed extraction using regex for the above "q1" field i am unable to retrieve any results.(index=xyz | q1='test.queue'
regex used in field extraction page is queue[\s=]'(?.*)'([\s:]|$)

can anyone help me in letting me know how to create the field extraction from a rex command

Lucas_K · ‎10-09-2012

Tried using the "where" command?

http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Where

so use it something like ... index=xyz | rex field=_raw "queue[s=]'(?.*)'([s:]|$)" | where like(q1, "test.queue")

dasari · ‎10-09-2012

2012-01-03 16:42:17.346 [MSG:234123] acknowledged by user='admin': queue='test.queue'
2012-01-03 16:42:17.334 : Destroyed producer (connid=10, sessid=9, prodid=4) into queue 'test.queue'

in both the cases im trying to extract queue field

jbsplunk · ‎10-09-2012

It would help if you could post a sample of your data.

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience