Building for the Splunk Platform

How to Extract the files - each line has different formats

New Member

I want to Extract the below ,

2018-01-08T04:43:00,700|[http-nio-9094-exec-10]|INFO|VM1|com.alb.bps.retrieval.service.DocumentRetrievalServiceImpl|DA4885B49C8376878C57DB952FD84E39|99aee0b4-f912-4526-a9af-6fb9c27c5fe0|USER1|Normal|IBD1|com.alb.bps.retrieval.service.DocumentRetrievalServiceImpl| DocId = 1470| Execution Time : 6097milliseconds

2018-01-08T05:01:03,183|[http-nio-9094-exec-7]|INFO|VM2|com.alb.bps.retrieval.service.DocumentRetrievalServiceImpl|01D362DD96D7E608E83023B02D5B9508|67a81da1-3810-4c66-9ce7-eb9c9732f8ea|null%40null|USER2|Normal|IBD2|com.alb.bps.retrieval.service.DocumentRetrievalServiceImpl| DocId = 1473| Execution Time : 715milliseconds

i m using the below syntax for extration, but it is not working as properly.

and also i want to extract the Execution time only for numbers i dont want to include the word milliseconds.

Can you please advice.
^(?P[^:]+)(?:[^|\n]|){3}(?P\w+)(?:[^|\n]|){4}(?P[^|]+)|\w+|(?P[^|]+)[^ \n]* (?P[^|]+)[^:\n]*:(?P\s+\d+[a-z]+)

Tags (1)
0 Karma


Hi rajeswariramar,

please give this a look.

You can easily ajust this to your requirements. If you need more help, tell me.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...