Splunk Search

how to extract the required data from the _raw field in splunk..

vinod743374
Communicator

This is my _raw data consists

06/24/2021 17:26:17 +0530, info_search_time=1624535777.471, Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed, Node Name="IND-JLN-DIV-COR-SW-02", snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Node Ip Address="3.205.208.35", Don't Username=Passed, Service Password Encryption=Passed, Aaa Server-GE=Passed, Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed, Config Title="4/26/2021 01:02 PM - Running", Line Vty 0 4=Passed, Logging Rule=Passed, Banner Rule=Passed, Config Type=Running, Finger Rule=Passed, Http Server=Passed, Name Server=Passed, Pad Service=Passed, System Boot=Passed, Telnet Rule=Passed, Trap Source=Passed, NTP Rule- GE=Passed, ftp service=Passed, ssh version=Passed, Source Route=Passed, Http Access Class=Passed

 

I need some of the fields to be extracted from that data

Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed, Node Name="IND-JLN-DIV-COR-SW-02.genpact.com", snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Node Ip Address="3.205.208.35", Don't Username=Passed, Service Password Encryption=Passed, Aaa Server-GE=Passed, Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed,



please help with the solution.
it would be appriciated

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval keep=_raw
| rex mode=sed "s/.*Dns rule/Dns rule/g"

View solution in original post

0 Karma

vinod743374
Communicator

thank you ,
it is working, is there any way to save that filtered _raw data to a new field ,  is there any possibility to keep the original data also , can you give me any solution for this. 

0 Karma

vinod743374
Communicator

Thankyou, it is working ,  is there any possibility to save this filtered data to a new field, 
or is there any possibility to keep that  original data also ??

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval keep=_raw
| rex mode=sed "s/.*Dns rule/Dns rule/g"
0 Karma

vinod743374
Communicator

Thank you so much .

0 Karma

vinod743374
Communicator

i want to extract some of the raw data  from _raw ,that are not useful for me. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| extract pairdelim="," kvdelim="="
0 Karma

vinod743374
Communicator

Thanks for the response, but i need that fields to be like a _raw only. not like a table.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Which fields do you want or not want? For example, if you didn't want everything before "Dns rule" you could do this

| rex mode=sed "s/.*Dns rule/Dns rule/g"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...