Re: multi field extraction form the logs

saravana22 · ‎10-18-2021

Hi Experts,

Am new to splunk..

I need to extract the fields which is in MSGTXT which are highlighted. Only when MSGTXT in this format(SZ5114RA 00 1045 .06 .0 165K 2% 9728K 3% 400M") as there are different type message text also in the logs

Example

SZ5114RA as A

00 as B

1045 as C

.06 as D

.0 as E

165K as F

2% as G

9728K as H

3% as I

400M as J

Please help..!! thank you

below is the Sample logs..

{"MFSOURCETYPE":"SYSLOG","DATETIME":"2021-10-16 02:24:47.53 +1100","SYSLOGSYSTEMNAME":"P01","JOBID":"SZ04","JOBNAME":"SZ04","SYSPLEX":"SYPLX1A","ACTION":"INFORMATIONAL","MSGNUM":"SZ5114RA","MSGTXT":"SZ5114RA 00 1045 .06 .0 165K 2% 9728K 3% 400M","MSGREQTYPE":""}

{"MFSOURCETYPE":"SYSLOG","DATETIME":"2021-10-16 02:24:47.54 +1100","SYSLOGSYSTEMNAME":"P01","JOBID":"SZ04","JOBNAME":"SZ04","SYSPLEX":"SYPLX1A","ACTION":"INFORMATIONAL","MSGNUM":"SZ04","MSGTXT":"SZ04 ENDED -SYS=P01 NAME=LIVE$SZ TOTAL CPU TIME= 12.4 TOTAL ELAPSED TIME= 47.2","MSGREQTYPE":""}

ITWhisperer · ‎10-18-2021

| rex field=MSGTXT "^(?<A>\S+)\s(?<B>\S+)\s(?<C>\S+)\s(?<D>\S+)\s(?<E>\S+)\s(?<F>\S+)\s(?<G>\S+)\s(?<H>\S+)\s(?<I>\S+)\s(?<J>\S+)$"

saravana22 · ‎10-18-2021

Thank you so much for your quick response

it's not extracted the fields 😞

ITWhisperer · ‎10-18-2021

OK try extracting from _raw

| rex "MSGTXT\":\s*\"(?<A>\S+)\s(?<B>\S+)\s(?<C>\S+)\s(?<D>\S+)\s(?<E>\S+)\s(?<F>\S+)\s(?<G>\S+)\s(?<H>\S+)\s(?<I>\S+)\s(?<J>\S+)\""

saravana22 · ‎10-18-2021

Tried with _raw as well.. Still no changes..

multi field extraction form the logs

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation