Solved: need help in extracting a substring from a string

owie6466 · ‎04-28-2020

hello splunkers! new to splunk and i am needing to extract a word from a message field.

this is the message

The Cluster Service service entered the running state.

i want to extract "running state" and use it to indicate a status of a server.

thank you!

codebuilder · ‎04-28-2020

Pipe your existing search to erex, give the field a name and provide an example.

...| erex ServiceState examples="running state"

When your search completes use the job inspector to find the regex that Splunk used to find your match.

----
An upvote would be appreciated and Accept Solution if it helps!

codebuilder · ‎04-28-2020

Pipe your existing search to erex, give the field a name and provide an example.

...| erex ServiceState examples="running state"

When your search completes use the job inspector to find the regex that Splunk used to find your match.

----
An upvote would be appreciated and Accept Solution if it helps!

owie6466 · ‎04-28-2020

thanks! 🙂

owie6466 · ‎04-28-2020

this worked great!!!!!!

codebuilder · ‎04-28-2020

Glad it worked for you! erex is a hidden gem 🙂

----
An upvote would be appreciated and Accept Solution if it helps!

need help in extracting a substring from a string