Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how to extract 2 different values from a string and put it into 2 fields

Tannawi_Chauha1
Engager
‎08-11-2016 12:44 AM

My data looks like:

A is running
b is running

c is running

each events contain such kind of bunch of data. i want to create 2 fields capturing (A,B,C) in row and other capturing the corresponding status(running) in row.

please provide me needful help

thanks in advance

Tags (1)
0 Karma
Reply

Tannawi_Chauha1
Engager
‎08-11-2016 12:53 PM

didn't work......:(
I think rex pattern is causing problem.
My data is like
'aaaa bbbb cccc dddd' (1234) is running.
'akdg ytdf tyui tyhj' (1245) is running.

so output should be in two different field
aaaa bbbb cccc dddd running
.
.
.
.

0 Karma
Reply

sundareshr
Legend
‎08-11-2016 12:56 PM

See if you see the right values in the right panel in this site

https://regex101.com/r/mJ8iX9/1

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-11-2016 05:16 AM 
your search | rex field=_raw "(?<first>\w)\sis\s(?<status>\w+)" | table first status

first column will have only one letter (a or b or .. ) or it can have a few letters (host1, etc )
status will have only "running" or what other values it can have (running, not running, failed, etc..)

0 Karma
Reply

Tannawi_Chauha1
Engager
‎08-11-2016 05:24 AM

there is no value under the table first status i.e not able to see any output

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-11-2016 05:37 AM

the "status" is the variable i am using the extract the word "running".

0 Karma
Reply

Tannawi_Chauha1
Engager
‎08-11-2016 05:44 AM

so under the field name "status" running value should be populated but the table is blank. just one row is there having name which is captured under <>.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-11-2016 05:50 AM

i uploaded these sample events -
A is running
b is running
c is running
A is running
b is failed
c is running

i ran this query - 

sourcetype=runningrex | rex field=_raw "(?<first>\w)\sis\s(?<status>\w+)" | table first status _raw

and i get this result -

first status _raw
c running c is running
b failed b is failed
A running A is running
c running c is running
b running b is running
A running A is running

0 Karma
Reply

sundareshr
Legend
‎08-11-2016 05:55 AM

Try this

your search | rex field=_raw "(?<first>\w+)\sis\s(?<status>\w+)" | table first status
0 Karma
Reply

Tannawi_Chauha1
Engager
‎08-11-2016 05:59 AM

none of the solution give the desire output. all output are blank.

Splunk version 6.2.5 i am using, could this cause any problem

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...