field extraction

dasari · ‎10-09-2012

I am able to execute the below search command using rex and retrieve the output successfully

index=xyz | rex field=_raw "queue[\s=]'(?.*)'([\s:]|$)" | search q1='test.queue'

however when i am creating a filed extraction using regex for the above "q1" field i am unable to retrieve any results.(index=xyz | q1='test.queue'
regex used in field extraction page is queue[\s=]'(?.*)'([\s:]|$)

can anyone help me in letting me know how to create the field extraction from a rex command

Lucas_K · ‎10-09-2012

Tried using the "where" command?

http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Where

so use it something like ... index=xyz | rex field=_raw "queue[s=]'(?.*)'([s:]|$)" | where like(q1, "test.queue")

dasari · ‎10-09-2012

2012-01-03 16:42:17.346 [MSG:234123] acknowledged by user='admin': queue='test.queue'
2012-01-03 16:42:17.334 : Destroyed producer (connid=10, sessid=9, prodid=4) into queue 'test.queue'

in both the cases im trying to extract queue field

jbsplunk · ‎10-09-2012

It would help if you could post a sample of your data.

field extraction

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM