Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

multivalue field extraction

nawazns5038
Builder
‎01-12-2018 03:58 PM

01-12-2018 23:41:12.856 +0000 INFO eod-hhh=5 eod-kkk=7 eod-lllll=88 eod-kaskas=898
01-12-2018 23:41:12.773 +0000 INFO eod-hhh=11 eod-kkk=44 eod-lllll=213123 eod-kaskas=2122 eod-llass=99

I have logs like the above. I want all values after eod- to grouped into one field.
01-12-2018 23:41:12.856 +0000 INFO eod-hhh=5 eod-kkk=7 eod-lllll=88 eod-kaskas=898
i should get hhh kkk llll kaskas as one value

01-12-2018 23:41:12.773 +0000 INFO eod-hhh=11 eod-kkk=44 eod-lllll=213123 eod-kaskas=2122 eod-llass=99
i should get hhh kkk llll kaskas llass as one value

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-12-2018 04:46 PM

@nawazns5038, try the following rex command:

| rex "eod-(?<eod>[^\=]+)\=" max_match=0

Following is the run anywhere example for the sample data provided:

| makeresults
| eval _raw="01-12-2018 23:41:12.856 +0000 INFO eod-hhh=5 eod-kkk=7 eod-lllll=88 eod-kaskas=898"
| append [| makeresults 
| eval _raw="01-12-2018 23:41:12.773 +0000 INFO eod-hhh=11 eod-kkk=44 eod-lllll=213123 eod-kaskas=2122 eod-llass=99"]
| rex "eod-(?<eod>[^\=]+)\=" max_match=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-12-2018 04:46 PM

@nawazns5038, try the following rex command:

| rex "eod-(?<eod>[^\=]+)\=" max_match=0

Following is the run anywhere example for the sample data provided:

| makeresults
| eval _raw="01-12-2018 23:41:12.856 +0000 INFO eod-hhh=5 eod-kkk=7 eod-lllll=88 eod-kaskas=898"
| append [| makeresults 
| eval _raw="01-12-2018 23:41:12.773 +0000 INFO eod-hhh=11 eod-kkk=44 eod-lllll=213123 eod-kaskas=2122 eod-llass=99"]
| rex "eod-(?<eod>[^\=]+)\=" max_match=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...