Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help me rex extraction

sravankaripe
Communicator
‎11-09-2016 01:49 PM

i want to extract the fields and values where field name start with dv_ . Please help me with field extraction on this case.

endpoint="https://xyz.com/",dv_activity_due="UNKNOWN",calendar_stc="1231961",approval="not requested",dv_urgency="4 - Low",u_department="",dv_u_category="None",opened_by="frsjytyghngfchyghgmhhmhmhj",dv_u_caused_by="None",dv_u_software_model="",closed_at="2016-11-09 21:24:09",activity_due="",dv_number="INC123456",urgency="7",dv_sys_created_on="2016-10-26 10:11:28",service_offering="",dv_service_offering="",dv_upon_reject="Cancel all future Tasks",parent="",work_notes="",parent_incident="",u_territory="",dv_u_area="None",u_loc_code="",dv_sys_tags="",dv_follow_up="",dv_u_node="",u_caller_phone="(000) 000-0000",dv_cmdb_ci="",dv_u_vendor="IBM",work_notes_list="",priority="5",upon_approval="proceed",dv_notify="Do Not Notify",comments="",dv_approval="Not Yet Requested",dv_watch_list="st-store0509.allmanager@kohls.com",dv_u_loc_code="",dv_business_stc="303,849",sys_created_by="eci_mtsa",reopen_count="0",dv_sys_updated_on="2016-11-09 15:24:09",dv_due_date="",dv_expected_start="",dv_sys_domain="global",correlation_id="L17SRR",impact="7",dv_time_worked="10 Minutes",dv_opened_by="MTSA Integration",u_caused_by="",u_ess_visibility="true",approval_set="",contract="",watch_list="st-user@company.com",additional_assignee_list="",dv_work_notes="2016-11-09 12:12:25 - MTSA Integration (Work notes)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-10-2016 03:54 AM

Hi sravankaripe,
Splunk recognize fields at search time when there is an equal (=) between field name and field value, so you can have without any activity al the fields and values.

I don't understand in your question, if you need to extract field names or field values.
If you need field names, you can use the following regex

(?<field_name>dv_[^\=]*)

if instead you want to have the values of all fields, you could use the following regex

dv_[^\=]*\=\"(?<field_name>[^\"]*)

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-10-2016 03:54 AM

Hi sravankaripe,
Splunk recognize fields at search time when there is an equal (=) between field name and field value, so you can have without any activity al the fields and values.

I don't understand in your question, if you need to extract field names or field values.
If you need field names, you can use the following regex

(?<field_name>dv_[^\=]*)

if instead you want to have the values of all fields, you could use the following regex

dv_[^\=]*\=\"(?<field_name>[^\"]*)

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

sravankaripe
Communicator
‎11-10-2016 10:12 AM

i want to dispaly attribute name also like

ex:-

dv_activity_due = value1
dv_approval = value2
dv_business_duration = value3
dv_business_service = value4
dv_business_stc = value5

0 Karma
Reply
Solved! Jump to solution

sravankaripe
Communicator
‎11-10-2016 10:15 AM

i am done thanks

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎11-09-2016 03:02 PM

Try this, where sed is used first to replace any blank values \"\" in the dv_fields with a word "Blank" and the fields are extracted thereafter:

yourQuery to return the entire string in field stringValue
| rex mode=sed field=stringValue "s/\"\"/\"Blank\"/g"
| rex field=stringValue max_match=0 "(?<dvFieldName>(dv_[^=]+))\=\"*(?<dvFieldValue>[^\"]+)"
| eval kvPair=mvzip(dvFieldName, dvFieldValue, "~")
| mvexpand kvPair
| rex field=kvPair "(?<myField>[^~]+)\~(?<myValue>[^$]+)"
| table myField, myValue

Trial example to test the above query:

| makeresults| eval stringValue="endpoint=\"https://xyz.com/\",dv_activity_due=\"UNKNOWN\",calendar_stc=\"1231961\",approval=\"not requested\",dv_urgency=\"4 - Low\",u_department=\"\",dv_u_category=\"None\",opened_by=\"frsjytyghngfchyghgmhhmhmhj\",dv_u_caused_by=\"None\",dv_u_software_model=\"\",closed_at=\"2016-11-09 21:24:09\",activity_due=\"\",dv_number=\"INC123456\",urgency=\"7\",dv_sys_created_on=\"2016-10-26 10:11:28\",service_offering=\"\",dv_service_offering=\"\",dv_upon_reject=\"Cancel all future Tasks\",parent=\"\",work_notes=\"\",parent_incident=\"\",u_territory=\"\",dv_u_area=\"None\",u_loc_code=\"\",dv_sys_tags=\"\",dv_follow_up=\"\",dv_u_node=\"\",u_caller_phone=\"(000) 000-0000\",dv_cmdb_ci=\"\",dv_u_vendor=\"IBM\",work_notes_list=\"\",priority=\"5\",upon_approval=\"proceed\",dv_notify=\"Do Not Notify\",comments=\"\",dv_approval=\"Not Yet Requested\",dv_watch_list=\"st-store0509.allmanager@kohls.com\",dv_u_loc_code=\"\",dv_business_stc=\"303,849\",sys_created_by=\"eci_mtsa\",reopen_count=\"0\",dv_sys_updated_on=\"2016-11-09 15:24:09\",dv_due_date=\"\",dv_expected_start=\"\",dv_sys_domain=\"global\",correlation_id=\"L17SRR\",impact=\"7\",dv_time_worked=\"10 Minutes\",dv_opened_by=\"MTSA Integration\",u_caused_by=\"\",u_ess_visibility=\"true\",approval_set=\"\",contract=\"\",watch_list=\"st-store0509.allmanager@kohls.com\",additional_assignee_list=\"\",dv_work_notes=\"2016-11-09 12:12:25 - MTSA Integration (Work notes)\""
| rex mode=sed field=stringValue "s/\"\"/\"Blank\"/g"
| rex field=stringValue max_match=0 "(?<dvFieldName>(dv_[^=]+))\=\"(?<dvFieldValue>[^\"]*)"
| eval kvPair=mvzip(dvFieldName, dvFieldValue, "~")
| mvexpand kvPair
| rex field=kvPair "(?<myField>[^~]+)\~(?<myValue>[^$]+)"
| table myField, myValue
Reply
Solved! Jump to solution

sk314
Builder
‎11-09-2016 02:12 PM

Splunk should automatically extract key=value pairs in search time. Have you tried searching in Verbose mode first? (As long as KV_MODE=auto for the sourcetype)

0 Karma
Reply
Solved! Jump to solution

sravankaripe
Communicator
‎11-09-2016 02:44 PM

i tried it. it dose not retrieving all the values.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...