Solved: Re: how to extract one value from log

ivana27 · ‎02-16-2021

Hi,

i have log like this

[Information] WebService Call CheckVehicle : country=111111, licensePlate=12DUMMY

And i would like to extract only licensePlate using maybe rex.

Thank you

Kwip · ‎02-18-2021

So you mean the log format is going to be the same and country value will change ? And you want to extract licensePlate values on this pattern of logs?

Try something below,

| rex field=_raw "country=\d+\, licensePlate=(?<LicensePlateNumber>[^ ]+)"

View solution in original post

Kwip · ‎02-17-2021

Hi @ivana27 ,

If you want to extract only from the mentioned log, include the unique information from the specific log

| rex field=_raw "country=111111\, licensePlate=(?<LicensePlate>[^ ]+)"

ivana27 · ‎02-17-2021

Hi @Kwip ,

thank you for helping. Problem is this just example i gave, values for country and licensePlate are different in events. So, i need from that row to take only value of license.

Thanks

gcusello · ‎02-17-2021

Hi @ivana27,

if you cannot identify a more complex regex (as me an @Kwip hinted), the only way if my other hint: use a different name for the regex extracted field.

Ciao.

Giuseppe

Kwip · ‎02-18-2021

Hi @ivana27 , @gcusello is right.

So you mean the log format is going to be the same and country value will change ? And you want to extract licensePlate values on this pattern of logs?

Try something below,

| rex field=_raw "country=\d+\, licensePlate=(?<LicensePlateNumber>[^ ]+)"

gcusello · ‎02-16-2021

Hi @ivana27,

you should already have the required field extraction because Splunk recognises the pair field_name=field_value.

Anyway, using regex, you could try something like this:

| rex "licensePlate\=(?<licensePlate>[^ ]+)"

that you can test at https://regex101.com/r/oQDejO/1

Ciao.

Giuseppe

ivana27 · ‎02-16-2021

Thank you for quick respond, i already put same rex command but in event there is several places where licensePlate is shown but i want extract only from that exact log mentioned here.

Thanks

gcusello · ‎02-16-2021

Hi @ivana27,

if this answer solves your problem please accept it for the other people of Community, otherwise tell me if I can help you more.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

ivana27 · ‎02-16-2021

Hi,

thank you for reply. I still didnt solve it 😞

Is it possible to refer only to this log and extract only from there licence?

Thank you

gcusello · ‎02-17-2021

Hi @ivana27,

if the problem is that the Regex takes more values that the correct one, the only way is to create a regex more complex that recognizes only the correct values.

If the problem is that the licensePlate field is also automatically extracted by Splunk and sometimes in a not correct way, you could use a different name for the regex extraction and use that field instead the other in your searches.

Ciao.

Giuseppe

how to extract one value from log

rex

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...