Solved: Re: how to extract one value from log

ivana27 · ‎02-16-2021

Hi,

i have log like this

[Information] WebService Call CheckVehicle : country=111111, licensePlate=12DUMMY

And i would like to extract only licensePlate using maybe rex.

Thank you

Kwip · ‎02-18-2021

So you mean the log format is going to be the same and country value will change ? And you want to extract licensePlate values on this pattern of logs?

Try something below,

| rex field=_raw "country=\d+\, licensePlate=(?<LicensePlateNumber>[^ ]+)"

View solution in original post

Kwip · ‎02-17-2021

Hi @ivana27 ,

If you want to extract only from the mentioned log, include the unique information from the specific log

| rex field=_raw "country=111111\, licensePlate=(?<LicensePlate>[^ ]+)"

ivana27 · ‎02-17-2021

Hi @Kwip ,

thank you for helping. Problem is this just example i gave, values for country and licensePlate are different in events. So, i need from that row to take only value of license.

Thanks

gcusello · ‎02-17-2021

Hi @ivana27,

if you cannot identify a more complex regex (as me an @Kwip hinted), the only way if my other hint: use a different name for the regex extracted field.

Ciao.

Giuseppe

Kwip · ‎02-18-2021

Hi @ivana27 , @gcusello is right.

So you mean the log format is going to be the same and country value will change ? And you want to extract licensePlate values on this pattern of logs?

Try something below,

| rex field=_raw "country=\d+\, licensePlate=(?<LicensePlateNumber>[^ ]+)"

gcusello · ‎02-16-2021

Hi @ivana27,

you should already have the required field extraction because Splunk recognises the pair field_name=field_value.

Anyway, using regex, you could try something like this:

| rex "licensePlate\=(?<licensePlate>[^ ]+)"

that you can test at https://regex101.com/r/oQDejO/1

Ciao.

Giuseppe

ivana27 · ‎02-16-2021

Thank you for quick respond, i already put same rex command but in event there is several places where licensePlate is shown but i want extract only from that exact log mentioned here.

Thanks

gcusello · ‎02-16-2021

Hi @ivana27,

if this answer solves your problem please accept it for the other people of Community, otherwise tell me if I can help you more.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

ivana27 · ‎02-16-2021

Hi,

thank you for reply. I still didnt solve it 😞

Is it possible to refer only to this log and extract only from there licence?

Thank you

gcusello · ‎02-17-2021

Hi @ivana27,

if the problem is that the Regex takes more values that the correct one, the only way is to create a regex more complex that recognizes only the correct values.

If the problem is that the licensePlate field is also automatically extracted by Splunk and sometimes in a not correct way, you could use a different name for the regex extraction and use that field instead the other in your searches.

Ciao.

Giuseppe

how to extract one value from log

rex

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Are you a member of the Splunk Community?

how to extract one value from log

rex

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...