Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- help me rex extraction
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sravankaripe
Communicator
11-09-2016
01:49 PM
i want to extract the fields and values where field name start with dv_ . Please help me with field extraction on this case.
endpoint="https://xyz.com/",dv_activity_due="UNKNOWN",calendar_stc="1231961",approval="not requested",dv_urgency="4 - Low",u_department="",dv_u_category="None",opened_by="frsjytyghngfchyghgmhhmhmhj",dv_u_caused_by="None",dv_u_software_model="",closed_at="2016-11-09 21:24:09",activity_due="",dv_number="INC123456",urgency="7",dv_sys_created_on="2016-10-26 10:11:28",service_offering="",dv_service_offering="",dv_upon_reject="Cancel all future Tasks",parent="",work_notes="",parent_incident="",u_territory="",dv_u_area="None",u_loc_code="",dv_sys_tags="",dv_follow_up="",dv_u_node="",u_caller_phone="(000) 000-0000",dv_cmdb_ci="",dv_u_vendor="IBM",work_notes_list="",priority="5",upon_approval="proceed",dv_notify="Do Not Notify",comments="",dv_approval="Not Yet Requested",dv_watch_list="st-store0509.allmanager@kohls.com",dv_u_loc_code="",dv_business_stc="303,849",sys_created_by="eci_mtsa",reopen_count="0",dv_sys_updated_on="2016-11-09 15:24:09",dv_due_date="",dv_expected_start="",dv_sys_domain="global",correlation_id="L17SRR",impact="7",dv_time_worked="10 Minutes",dv_opened_by="MTSA Integration",u_caused_by="",u_ess_visibility="true",approval_set="",contract="",watch_list="st-user@company.com",additional_assignee_list="",dv_work_notes="2016-11-09 12:12:25 - MTSA Integration (Work notes)
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
11-10-2016
03:54 AM
Hi sravankaripe,
Splunk recognize fields at search time when there is an equal (=) between field name and field value, so you can have without any activity al the fields and values.
I don't understand in your question, if you need to extract field names or field values.
If you need field names, you can use the following regex
(?<field_name>dv_[^\=]*)
if instead you want to have the values of all fields, you could use the following regex
dv_[^\=]*\=\"(?<field_name>[^\"]*)
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
11-10-2016
03:54 AM
Hi sravankaripe,
Splunk recognize fields at search time when there is an equal (=) between field name and field value, so you can have without any activity al the fields and values.
I don't understand in your question, if you need to extract field names or field values.
If you need field names, you can use the following regex
(?<field_name>dv_[^\=]*)
if instead you want to have the values of all fields, you could use the following regex
dv_[^\=]*\=\"(?<field_name>[^\"]*)
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sravankaripe
Communicator
11-10-2016
10:12 AM
i want to dispaly attribute name also like
ex:-
dv_activity_due = value1
dv_approval = value2
dv_business_duration = value3
dv_business_service = value4
dv_business_stc = value5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sravankaripe
Communicator
11-10-2016
10:15 AM
i am done thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
11-09-2016
03:02 PM
Try this, where sed is used first to replace any blank values \"\" in the dv_fields with a word "Blank" and the fields are extracted thereafter:
yourQuery to return the entire string in field stringValue
| rex mode=sed field=stringValue "s/\"\"/\"Blank\"/g"
| rex field=stringValue max_match=0 "(?<dvFieldName>(dv_[^=]+))\=\"*(?<dvFieldValue>[^\"]+)"
| eval kvPair=mvzip(dvFieldName, dvFieldValue, "~")
| mvexpand kvPair
| rex field=kvPair "(?<myField>[^~]+)\~(?<myValue>[^$]+)"
| table myField, myValue
Trial example to test the above query:
| makeresults| eval stringValue="endpoint=\"https://xyz.com/\",dv_activity_due=\"UNKNOWN\",calendar_stc=\"1231961\",approval=\"not requested\",dv_urgency=\"4 - Low\",u_department=\"\",dv_u_category=\"None\",opened_by=\"frsjytyghngfchyghgmhhmhmhj\",dv_u_caused_by=\"None\",dv_u_software_model=\"\",closed_at=\"2016-11-09 21:24:09\",activity_due=\"\",dv_number=\"INC123456\",urgency=\"7\",dv_sys_created_on=\"2016-10-26 10:11:28\",service_offering=\"\",dv_service_offering=\"\",dv_upon_reject=\"Cancel all future Tasks\",parent=\"\",work_notes=\"\",parent_incident=\"\",u_territory=\"\",dv_u_area=\"None\",u_loc_code=\"\",dv_sys_tags=\"\",dv_follow_up=\"\",dv_u_node=\"\",u_caller_phone=\"(000) 000-0000\",dv_cmdb_ci=\"\",dv_u_vendor=\"IBM\",work_notes_list=\"\",priority=\"5\",upon_approval=\"proceed\",dv_notify=\"Do Not Notify\",comments=\"\",dv_approval=\"Not Yet Requested\",dv_watch_list=\"st-store0509.allmanager@kohls.com\",dv_u_loc_code=\"\",dv_business_stc=\"303,849\",sys_created_by=\"eci_mtsa\",reopen_count=\"0\",dv_sys_updated_on=\"2016-11-09 15:24:09\",dv_due_date=\"\",dv_expected_start=\"\",dv_sys_domain=\"global\",correlation_id=\"L17SRR\",impact=\"7\",dv_time_worked=\"10 Minutes\",dv_opened_by=\"MTSA Integration\",u_caused_by=\"\",u_ess_visibility=\"true\",approval_set=\"\",contract=\"\",watch_list=\"st-store0509.allmanager@kohls.com\",additional_assignee_list=\"\",dv_work_notes=\"2016-11-09 12:12:25 - MTSA Integration (Work notes)\""
| rex mode=sed field=stringValue "s/\"\"/\"Blank\"/g"
| rex field=stringValue max_match=0 "(?<dvFieldName>(dv_[^=]+))\=\"(?<dvFieldValue>[^\"]*)"
| eval kvPair=mvzip(dvFieldName, dvFieldValue, "~")
| mvexpand kvPair
| rex field=kvPair "(?<myField>[^~]+)\~(?<myValue>[^$]+)"
| table myField, myValue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sk314
Builder
11-09-2016
02:12 PM
Splunk should automatically extract key=value pairs in search time. Have you tried searching in Verbose mode first? (As long as KV_MODE=auto for the sourcetype)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sravankaripe
Communicator
11-09-2016
02:44 PM
i tried it. it dose not retrieving all the values.
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Related Topics
Get Updates on the Splunk Community!
Observability Simplified: Combining User Experience, Application Performance & ...
Tech Talk
Observability Simplified: Combining User Experience, Application Performance & Network ...
Event Series May & June: From Network Visibility to Service Intelligence
Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI
In today’s hybrid ...
Global Splunk User Group Events: May + June 2026
Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide
Staying ahead in the fast-paced ...
