Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk multiple field extraction

ppatkar
Path Finder
‎02-19-2021 04:42 AM

 

 I have the below Splunk Event & need to extract multiple fields from the same :

 

[TIMESTAMP=2021-02-19 12:16:30.684 UTC] [RUN_ID=] [TRACE_ID=] [STEP=End Processing] [LINE_NO=701] [LOG_LEVEL=TRACE] [MESSAGE=[ppv] [insert] Query completed , total 11 ms: [10 values] INSERT INTO errors (job,run,timestamp,count,alert,error,code,message,completets,active) VALUES (?,?,?,?,?,?,?,?,?,?); [job:'endcustomer--prod', run:'4569876', timestamp:1613736990530, count:200, alert:'failed after launch', error:'', code:'E302: Batch failed', message:'', completets:'', active:false]]

 

Expected Table Output :

jobruncode
endcustomer--prod4569876E302: Batch failed

 

I was able to pick some field like :

run\:\'(?<run>\w+)'

https://regex101.com/r/q7NqQb/1

However, unable to extract all the three fields above. Any help is appreciated.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-19-2021 04:54 AM

hi @ppatkar,

Use rex command twice:

| rex "job:'(?<job>[^']+)',\srun:'(?<run>[^']+)"
| rex "code:'(?<code>[^']+)'"
| table job, run, code

 

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

jotne
Builder
‎02-24-2021 01:15 AM

All in on rex

 

Your search
| rex "job:'(?<job>[^']+)'. run:'(?<run>[^']+)'.*? code:'(?<code>[^']+)'"
| table job run code

 

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-19-2021 04:54 AM

hi @ppatkar,

Use rex command twice:

| rex "job:'(?<job>[^']+)',\srun:'(?<run>[^']+)"
| rex "code:'(?<code>[^']+)'"
| table job, run, code

 

If this reply helps you, an upvote/like would be appreciated.

Reply
Solved! Jump to solution

ppatkar
Path Finder
‎02-23-2021 02:22 AM

Hi @manjunathmeti 

I have one followup to the earlier , in certain events I see truncated output like below :

 

[TIMESTAMP=2021-02-19 12:16:30.684 UTC] [RUN_ID=] [TRACE_ID=] [STEP=End Processing] [LINE_NO=701] [LOG_LEVEL=TRACE] [MESSAGE=[ppv] [insert] Query completed , total 11 ms: [10 values] INSERT INTO errors (job,run,timestamp,count,alert,error,code,message,completets,active) VALUES (?,?,?,?,?,?,?,?,?,?); [job:'endcustomer--pr..[truncated output], run:4569876, timestamp:1613736990530, count:200, alert:'failed after launch', error:'', code:'E302: Batch failed', message:'', completets:'', active:false]]

 

This is causing my job to get derived as null . Can you please advise ?

 

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-23-2021 08:46 PM

Try this:

| rex "job:'?(?<job>[^']+)'?,\srun:'?(?<run>\d+)'?"
| rex "code:'(?<code>[^']+)'"
| table job, run, code

 

 If this reply helps you, an upvote/like would be appreciated.

Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...