Re: how to extract a field from the results of a ...

pratapa · ‎10-20-2019

Some events generated from the below search query.

index=webmethods_nonprd CESAP.pub.Shipment.handler:processShipment_PostalMailProvider OR CEAustraliaPost.sub.Shipment.handler | transaction shipment | search NOT (linecount="3" AND "Published shipment document" AND "Successfully created Australia Post shipment order" "Generated Australia Post shipment order summary and archived it in the SAP content repository")

We would like to extract the field "shipping point" from the results of the above search query.

Please let us know how to modify the above search query to extract the field "shipping point".

begleyj1 · ‎10-23-2019

It depends on your results. Take a look at the doc here for guided assistance with extracting fields: https://docs.splunk.com/Documentation/Splunk/7.3.2/Knowledge/ExtractfieldsinteractivelywithIFX

pratapa · ‎10-20-2019

For example :

How to extract the value 7020 from the below field "shipping point" and assign it to a variable shipping_point

shipping point="7020"

anthonymelita · ‎10-21-2019

You need to provide an example of what the returned event data looks like. With an accurately formatted example, someone can assist you with regex. Or if you already know regex, look up documentation for the "| rex" command. Generic example would be like:
| rex field=_raw "(something\sbefore)(?<shipping point>\d{4})"

how to extract a field from the results of a search query.

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!