Re: multi field extraction form the logs

saravana22 · ‎10-18-2021

Hi Experts,

Am new to splunk..

I need to extract the fields which is in MSGTXT which are highlighted. Only when MSGTXT in this format(SZ5114RA 00 1045 .06 .0 165K 2% 9728K 3% 400M") as there are different type message text also in the logs

Example

SZ5114RA as A

00 as B

1045 as C

.06 as D

.0 as E

165K as F

2% as G

9728K as H

3% as I

400M as J

Please help..!! thank you

below is the Sample logs..

{"MFSOURCETYPE":"SYSLOG","DATETIME":"2021-10-16 02:24:47.53 +1100","SYSLOGSYSTEMNAME":"P01","JOBID":"SZ04","JOBNAME":"SZ04","SYSPLEX":"SYPLX1A","ACTION":"INFORMATIONAL","MSGNUM":"SZ5114RA","MSGTXT":"SZ5114RA 00 1045 .06 .0 165K 2% 9728K 3% 400M","MSGREQTYPE":""}

{"MFSOURCETYPE":"SYSLOG","DATETIME":"2021-10-16 02:24:47.54 +1100","SYSLOGSYSTEMNAME":"P01","JOBID":"SZ04","JOBNAME":"SZ04","SYSPLEX":"SYPLX1A","ACTION":"INFORMATIONAL","MSGNUM":"SZ04","MSGTXT":"SZ04 ENDED -SYS=P01 NAME=LIVE$SZ TOTAL CPU TIME= 12.4 TOTAL ELAPSED TIME= 47.2","MSGREQTYPE":""}

ITWhisperer · ‎10-18-2021

| rex field=MSGTXT "^(?<A>\S+)\s(?<B>\S+)\s(?<C>\S+)\s(?<D>\S+)\s(?<E>\S+)\s(?<F>\S+)\s(?<G>\S+)\s(?<H>\S+)\s(?<I>\S+)\s(?<J>\S+)$"

saravana22 · ‎10-18-2021

Thank you so much for your quick response

it's not extracted the fields 😞

ITWhisperer · ‎10-18-2021

OK try extracting from _raw

| rex "MSGTXT\":\s*\"(?<A>\S+)\s(?<B>\S+)\s(?<C>\S+)\s(?<D>\S+)\s(?<E>\S+)\s(?<F>\S+)\s(?<G>\S+)\s(?<H>\S+)\s(?<I>\S+)\s(?<J>\S+)\""

saravana22 · ‎10-18-2021

Tried with _raw as well.. Still no changes..

multi field extraction form the logs

field extraction

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!