Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to extract one value from log

ivana27
Path Finder
‎02-16-2021 06:56 AM

Hi,

i have log like this

[Information] WebService Call CheckVehicle : country=111111, licensePlate=12DUMMY

And i would like to extract only licensePlate using maybe rex.

Thank you

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Kwip
Contributor
‎02-18-2021 12:52 AM

Hi @ivana27 ,  @gcusello  is right.

So you mean the log format is going to be the same and  country value will change ? And you want to extract licensePlate values on this pattern of logs?

Try something below, 

| rex field=_raw "country=\d+\, licensePlate=(?<LicensePlateNumber>[^ ]+)"

View solution in original post

Reply
Solved! Jump to solution

Kwip
Contributor
‎02-17-2021 11:01 AM

Hi @ivana27 ,

If you want to extract only from the mentioned log, include the unique information from the specific log

 

| rex field=_raw "country=111111\, licensePlate=(?<LicensePlate>[^ ]+)"

0 Karma
Reply
Solved! Jump to solution

ivana27
Path Finder
‎02-17-2021 11:50 PM

Hi @Kwip ,

thank you for helping. Problem is this just example i gave, values for country and licensePlate are different in events. So, i need from that row to take only value of license.

Thanks

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-17-2021 11:54 PM

Hi @ivana27,

if you cannot identify a more complex regex (as me an @Kwip hinted), the only way if my other hint: use a different name for the regex extracted field.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

Kwip
Contributor
‎02-18-2021 12:52 AM

Hi @ivana27 ,  @gcusello  is right.

So you mean the log format is going to be the same and  country value will change ? And you want to extract licensePlate values on this pattern of logs?

Try something below, 

| rex field=_raw "country=\d+\, licensePlate=(?<LicensePlateNumber>[^ ]+)"

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-16-2021 07:49 AM

Hi @ivana27,

you should already have the required field extraction because Splunk recognises the pair field_name=field_value.

Anyway, using regex, you could try something like this:

| rex "licensePlate\=(?<licensePlate>[^ ]+)"

that you can test at https://regex101.com/r/oQDejO/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

ivana27
Path Finder
‎02-16-2021 07:55 AM

Thank you for quick respond, i already put same rex command but in event there is several places where licensePlate is shown but i want extract only from that exact log mentioned here.

Thanks

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-16-2021 08:00 AM

Hi @ivana27,

if this answer solves your problem please accept it for the other people of Community, otherwise tell me if I can help you more.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Solved! Jump to solution

ivana27
Path Finder
‎02-16-2021 11:57 PM

Hi,

thank you for reply. I still didnt solve it 😞

Is it possible to refer only to this log and extract only from there licence?

Thank you

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-17-2021 12:08 AM

Hi @ivana27,

if the problem is that the Regex takes more values that the correct one, the only way is to create a regex more complex that recognizes only the correct values.

If the problem is that the licensePlate field is also automatically extracted by Splunk and sometimes in a not correct way, you could use a different name for the regex extraction and use that field instead the other in your searches.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...