Re: how to extract partial value from filed and sh...

naresh_553 · ‎08-09-2023

Hi , Im trying to extract distinct email is as column and preparing some counts .For this im thinking to extract the email data from log field . Can someone please provide pointers

{
"log": " \u001b[2m2023-08-09 21:28:28.347\u001b[0;39m \u001b[32mDEBUG\u001b[0;39m \u001b[35m1\u001b[0;39m \u001b[2m---\u001b[0;39m \u001b[2m[nio-8080-exec-7]\u001b[0;39m \u001b[36ms.s.w.c.SecurityContextPersistenceFilter\u001b[0;39m \u001b[2m:\u001b[0;39m Set SecurityContextHolder to SecurityContextImpl [Authentication= SCOPE_profile1]], User Attributes: [{ email=venkatanaresh.mokka@one.verizon.com}], Credentials=[PROTECTED] ]]\n",
"stream": "stdout",

"kubernetes": {
"container_name": "draftx-ui-gateway",

}
}

yuanliu · ‎08-10-2023

You must have a field name log. Use extract (aka kv) on it.

| rename log as _raw 
| kv

isoutamo · ‎08-11-2023

Hi

as usual there is another way too 😉 I'm expecting that this information is on field called "log". If it's something else then just change field=<your field name>

| rex field=log "email=(?<email>[^}]+)"

You could check by Job Inspector which one is better on your case.

r. Ismo

how to extract partial value from filed and show as column

field extraction

regex

rex

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation