Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how to extract 2 different values from a string and put it into 2 fields

Tannawi_Chauha1
Engager
‎08-11-2016 12:44 AM

My data looks like:

A is running
b is running

c is running

each events contain such kind of bunch of data. i want to create 2 fields capturing (A,B,C) in row and other capturing the corresponding status(running) in row.

please provide me needful help

thanks in advance

Tags (1)
0 Karma
Reply

Tannawi_Chauha1
Engager
‎08-11-2016 12:53 PM

didn't work......:(
I think rex pattern is causing problem.
My data is like
'aaaa bbbb cccc dddd' (1234) is running.
'akdg ytdf tyui tyhj' (1245) is running.

so output should be in two different field
aaaa bbbb cccc dddd running
.
.
.
.

0 Karma
Reply

sundareshr
Legend
‎08-11-2016 12:56 PM

See if you see the right values in the right panel in this site

https://regex101.com/r/mJ8iX9/1

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-11-2016 05:16 AM 
your search | rex field=_raw "(?<first>\w)\sis\s(?<status>\w+)" | table first status

first column will have only one letter (a or b or .. ) or it can have a few letters (host1, etc )
status will have only "running" or what other values it can have (running, not running, failed, etc..)

0 Karma
Reply

Tannawi_Chauha1
Engager
‎08-11-2016 05:24 AM

there is no value under the table first status i.e not able to see any output

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-11-2016 05:37 AM

the "status" is the variable i am using the extract the word "running".

0 Karma
Reply

Tannawi_Chauha1
Engager
‎08-11-2016 05:44 AM

so under the field name "status" running value should be populated but the table is blank. just one row is there having name which is captured under <>.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-11-2016 05:50 AM

i uploaded these sample events -
A is running
b is running
c is running
A is running
b is failed
c is running

i ran this query - 

sourcetype=runningrex | rex field=_raw "(?<first>\w)\sis\s(?<status>\w+)" | table first status _raw

and i get this result -

first status _raw
c running c is running
b failed b is failed
A running A is running
c running c is running
b running b is running
A running A is running

0 Karma
Reply

sundareshr
Legend
‎08-11-2016 05:55 AM

Try this

your search | rex field=_raw "(?<first>\w+)\sis\s(?<status>\w+)" | table first status
0 Karma
Reply

Tannawi_Chauha1
Engager
‎08-11-2016 05:59 AM

none of the solution give the desire output. all output are blank.

Splunk version 6.2.5 i am using, could this cause any problem

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...