Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- rex command to extract fields from field( Message=...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sabithanitg
New Member
04-24-2015
06:54 AM
rex command to extract fields from Message=Document 345, Microsoft Word Text owned by first.last on abc1234 was some text on some text.............
Marked with bold text are common in all the values.
result of field names should look like this.
DocumentNum=Document 345
DocumentType = Microsoft Word Text
username=first.last
device=abc1234
location=some text
I have started with following rex command, but I cannot look for the text till "owned by" and for user name "owned by" to "on" and so on
| rex Message="(?[^\,])\,(?[()?:owned]*)" | table DocumentNum DocumentType
my result is looking like this: DocumentNum = Document 345
DocumentType = Micro
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stephanefotso
Motivator
04-24-2015
01:20 PM
yes of course! there are many possibilities to extract what you want. Please which of the above queries worked?
If it is the first one, here you go now:
|rex "^Message=(?P<DocumentNum>[^,]+),(?P<DocumentType>[^\n]*)owned\sby\s(?P<username>[^ ]+)\s+on\s+(?P<device>[a-f0-9]+)\s+was\s+(?P<location>[^\n]*)"|table DocumentNum DocumentType, username ,device, location
if it is the second one, here you go
|rex field=Message "(?P<DocumentNum>[^,]+),(?P<DocumentType>[^\n]*)owned\sby\s(?P<username>[^ ]+)\s+on\s+(?P<device>[a-f0-9]+)\s+was\s+(?P<location>[^\n]*)"|table DocumentNum DocumentType, username ,device, location
Hope it may help now.
SGF
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stephanefotso
Motivator
04-24-2015
01:20 PM
yes of course! there are many possibilities to extract what you want. Please which of the above queries worked?
If it is the first one, here you go now:
|rex "^Message=(?P<DocumentNum>[^,]+),(?P<DocumentType>[^\n]*)owned\sby\s(?P<username>[^ ]+)\s+on\s+(?P<device>[a-f0-9]+)\s+was\s+(?P<location>[^\n]*)"|table DocumentNum DocumentType, username ,device, location
if it is the second one, here you go
|rex field=Message "(?P<DocumentNum>[^,]+),(?P<DocumentType>[^\n]*)owned\sby\s(?P<username>[^ ]+)\s+on\s+(?P<device>[a-f0-9]+)\s+was\s+(?P<location>[^\n]*)"|table DocumentNum DocumentType, username ,device, location
Hope it may help now.
SGF
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sabithanitg
New Member
04-25-2015
09:06 PM
I am using the first one.It worked perfectly.
Thank you very much and appreciate your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stephanefotso
Motivator
04-24-2015
07:28 AM
Hello! Here you go
|rex "^Message=(?P<DocumentNum>[^,]+),\s+(?P<DocumentType>\w+\s+\w+\s+\w+)(?:[^ \n]* ){3}(?P<username>[^ ]+) on (?P<device>[a-f0-9]+) was (?P<location>.+)"|table DocumentNum,DocumentType, username, device, location
SGF
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sabithanitg
New Member
04-24-2015
07:53 AM
Thanks for the answer Stephane, This is not showing up any value for these fields. Is there any other method to achieve this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sabithanitg
New Member
04-24-2015
10:34 AM
Thanks stephane, With few changes it is working to extract for few values not all of them.
Is there any possibility of extracting all.
For example DocumentType field value contains as below similarly for Location
Microsoft Outlook - Memo Style,
11-02-099.pdf,
https://h44444.www3.hp.com/HPCSN/EtFOnline/fff_ff_notes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stephanefotso
Motivator
04-24-2015
08:04 AM
try this:
..........|rex "^Message=(?P<DocumentNum>[^,]+),\s+(?P<DocumentType>\w+\s+\w+\s+\w+)\sowned\sby\s(?P<username>[^ ]+)\son\s(?P<device>[a-f0-9]+)\swas\s(?P<location>.+)"|table DocumentNum,DocumentType, username, device, location
And if you are working with a csv file, means Message is a field in your csv, try this:
..........|rex field=Message "(?P<DocumentNum>[^,]+),\s+(?P<DocumentType>\w+\s+\w+\s+\w+)\sowned\sby\s(?P<username>[^ ]+)\son\s(?P<device>[a-f0-9]+)\swas\s(?P<location>.+)"|table DocumentNum,DocumentType, username, device, location
if not working also, please let me see the entire first line of your events.
SGF
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
