Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

field extraction

dasari
Engager
‎10-09-2012 02:58 PM

I am able to execute the below search command using rex and retrieve the output successfully

index=xyz | rex field=_raw "queue[\s=]'(?.*)'([\s:]|$)" | search q1='test.queue'

however when i am creating a filed extraction using regex for the above "q1" field i am unable to retrieve any results.(index=xyz | q1='test.queue'
regex used in field extraction page is queue[\s=]'(?.*)'([\s:]|$)

can anyone help me in letting me know how to create the field extraction from a rex command

Tags (1)
Reply

Lucas_K
Motivator
‎10-09-2012 04:10 PM

Tried using the "where" command?

http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Where

so use it something like ... index=xyz | rex field=_raw "queue[s=]'(?.*)'([s:]|$)" | where like(q1, "test.queue")

0 Karma
Reply

dasari
Engager
‎10-09-2012 04:03 PM

2012-01-03 16:42:17.346 [MSG:234123] acknowledged by user='admin': queue='test.queue'
2012-01-03 16:42:17.334 : Destroyed producer (connid=10, sessid=9, prodid=4) into queue 'test.queue'

in both the cases im trying to extract queue field

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎10-09-2012 03:01 PM

It would help if you could post a sample of your data.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...