Splunk Search

how to extract 2 different values from a string and put it into 2 fields

Tannawi_Chauha1
Engager

My data looks like:

A is running
b is running

c is running

each events contain such kind of bunch of data. i want to create 2 fields capturing (A,B,C) in row and other capturing the corresponding status(running) in row.

please provide me needful help

thanks in advance

Tags (1)
0 Karma

Tannawi_Chauha1
Engager

didn't work......:(
I think rex pattern is causing problem.
My data is like
'aaaa bbbb cccc dddd' (1234) is running.
'akdg ytdf tyui tyhj' (1245) is running.

so output should be in two different field
aaaa bbbb cccc dddd running
.
.
.
.

0 Karma

sundareshr
Legend

See if you see the right values in the right panel in this site

https://regex101.com/r/mJ8iX9/1

0 Karma

inventsekar
SplunkTrust
SplunkTrust
your search | rex field=_raw "(?<first>\w)\sis\s(?<status>\w+)" | table first status

first column will have only one letter (a or b or .. ) or it can have a few letters (host1, etc )
status will have only "running" or what other values it can have (running, not running, failed, etc..)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

Tannawi_Chauha1
Engager

there is no value under the table first status i.e not able to see any output

0 Karma

inventsekar
SplunkTrust
SplunkTrust

the "status" is the variable i am using the extract the word "running".

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

Tannawi_Chauha1
Engager

so under the field name "status" running value should be populated but the table is blank. just one row is there having name which is captured under <>.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

i uploaded these sample events -
A is running
b is running
c is running
A is running
b is failed
c is running

i ran this query -

sourcetype=runningrex | rex field=_raw "(?<first>\w)\sis\s(?<status>\w+)" | table first status _raw

and i get this result -

first status _raw
c running c is running
b failed b is failed
A running A is running
c running c is running
b running b is running
A running A is running

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

sundareshr
Legend

Try this

your search | rex field=_raw "(?<first>\w+)\sis\s(?<status>\w+)" | table first status
0 Karma

Tannawi_Chauha1
Engager

none of the solution give the desire output. all output are blank.

Splunk version 6.2.5 i am using, could this cause any problem

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...