hello splunkers! new to splunk and i am needing to extract a word from a message field.
this is the message
The Cluster Service service entered the running state.
i want to extract "running state" and use it to indicate a status of a server.
thank you!
Pipe your existing search to erex, give the field a name and provide an example.
...| erex ServiceState examples="running state"
When your search completes use the job inspector to find the regex that Splunk used to find your match.
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Erex
Pipe your existing search to erex, give the field a name and provide an example.
...| erex ServiceState examples="running state"
When your search completes use the job inspector to find the regex that Splunk used to find your match.
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Erex
thanks! 🙂
this worked great!!!!!!
Glad it worked for you! erex is a hidden gem 🙂