Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract usage basics

muraliv
New Member
‎04-04-2013 06:13 AM

Hi,

I understand what extract or kv command does. but what i don't understand is how the extracted values should be used in a timechart command.

for example.

event 1: 10=200,11=210,12=220

event 2: 10=300,11=310,12=320

event 3: 10=400,11=410,12=420

if i want to plot a line graph, which will plot all the values of 10,11 and 12 i'll use as following

source "someosource" | extract kvdelim="=" pairdelim="," auto=f

how should i use the subsequent timechart command. how will i refer the fields 10,11 and 12 in the timecharts.
please guide me since i can't find a complete one to one tutorial with samples for extract command.

thanks in advance.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-04-2013 06:47 AM

If I modify your data like this:

event 1: a10=200,a11=210,a12=220
event 2: a10=300,a11=310,a12=320
event 3: a10=400,a11=410,a12=420

Then extract will pull out all the fields without any parameters given. I assume extract refuses to extract numbers as field names. You can still write a rex for that like this:

...  | rex "10=(?<10>\d+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-04-2013 06:47 AM

If I modify your data like this:

event 1: a10=200,a11=210,a12=220
event 2: a10=300,a11=310,a12=320
event 3: a10=400,a11=410,a12=420

Then extract will pull out all the fields without any parameters given. I assume extract refuses to extract numbers as field names. You can still write a rex for that like this:

...  | rex "10=(?<10>\d+)"
0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-05-2013 12:07 AM

With those events extract without any parameters will extract fields called a10, a11, and a12. You can then refer to those field names in successive commands.

For a simple confirmation, append a | table a10 a11 a12 to your extract.

0 Karma
Reply
Solved! Jump to solution

muraliv
New Member
‎04-04-2013 10:55 PM

martin,
thanks for your reply. I'm worried about how to use the extracted data in the successive commands

for example
if i use a rex, i'll use a FIELDVALUE variable which'll be used in the successive command

so now, the events look like this
event 1: a10=200,a11=210,a12=220
...

again, my search commands looks like this
source "somesource" | extract kvdelim="=" pairdelim="," auto=f

do i have to use a rex eventhough i use a extract command? how will i refer the extracted fields in the succesive commands. sorry for my ignorance.

please guide me.

regards,
murali v

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...