Splunk Search

need help in extracting a substring from a string

Explorer

hello splunkers! new to splunk and i am needing to extract a word from a message field.

this is the message

The Cluster Service service entered the running state.

i want to extract "running state" and use it to indicate a status of a server.

thank you!

Labels (1)
Tags (1)
0 Karma
1 Solution

Motivator

Pipe your existing search to erex, give the field a name and provide an example.

...| erex ServiceState examples="running state"

When your search completes use the job inspector to find the regex that Splunk used to find your match.

https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Erex

View solution in original post

0 Karma

Motivator

Pipe your existing search to erex, give the field a name and provide an example.

...| erex ServiceState examples="running state"

When your search completes use the job inspector to find the regex that Splunk used to find your match.

https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Erex

View solution in original post

0 Karma

Explorer

thanks! 🙂

0 Karma

Explorer

this worked great!!!!!!

0 Karma

Motivator

Glad it worked for you! erex is a hidden gem 🙂

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!