Splunk Search

multi field extraction form the logs

saravana22
Explorer

Hi Experts,

Am new to splunk..

I need to extract the fields which is in MSGTXT which are highlighted. Only when MSGTXT in  this format(SZ5114RA 00 1045 .06 .0 165K 2% 9728K 3% 400M") as there are different type message text also in the logs

Example

SZ5114RA as A

00 as B

1045 as C

.06 as D

.0 as E

165K as F

2% as G

9728K as H

3% as I

400M as J

 

Please help..!! thank you

below is the Sample logs..

{"MFSOURCETYPE":"SYSLOG","DATETIME":"2021-10-16 02:24:47.53 +1100","SYSLOGSYSTEMNAME":"P01","JOBID":"SZ04","JOBNAME":"SZ04","SYSPLEX":"SYPLX1A","ACTION":"INFORMATIONAL","MSGNUM":"SZ5114RA","MSGTXT":"SZ5114RA 00 1045 .06 .0 165K 2% 9728K 3% 400M","MSGREQTYPE":""}
 
{"MFSOURCETYPE":"SYSLOG","DATETIME":"2021-10-16 02:24:47.54 +1100","SYSLOGSYSTEMNAME":"P01","JOBID":"SZ04","JOBNAME":"SZ04","SYSPLEX":"SYPLX1A","ACTION":"INFORMATIONAL","MSGNUM":"SZ04","MSGTXT":"SZ04 ENDED -SYS=P01 NAME=LIVE$SZ TOTAL CPU TIME= 12.4 TOTAL ELAPSED TIME= 47.2","MSGREQTYPE":""}

 

 

 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

 

| rex field=MSGTXT "^(?<A>\S+)\s(?<B>\S+)\s(?<C>\S+)\s(?<D>\S+)\s(?<E>\S+)\s(?<F>\S+)\s(?<G>\S+)\s(?<H>\S+)\s(?<I>\S+)\s(?<J>\S+)$"

 

0 Karma

saravana22
Explorer

Thank you so much for your quick response

it's not extracted the fields :disappointed_face:

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK try extracting from _raw

| rex "MSGTXT\":\s*\"(?<A>\S+)\s(?<B>\S+)\s(?<C>\S+)\s(?<D>\S+)\s(?<E>\S+)\s(?<F>\S+)\s(?<G>\S+)\s(?<H>\S+)\s(?<I>\S+)\s(?<J>\S+)\""
0 Karma

saravana22
Explorer

Tried with _raw as well.. Still no changes..

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...