I have a search:
source="/opt/www/logs/nbcucentral/nbcucentral.log"| rex "(?P\w+.\w+@\w+.\w+)" | rex "details (?P\w+)" | rex "(?\d{9})" | stats count by Name, Email, User_ID
It is showing the result of fields Name
, Email
, sso
Now i need to add some more fields to the existing query..
Fields which i need to add are:
jobTitle
orgName
orgSegment
parentOrgname
userType
Kindly help on it
use regex command. sommething like this
....| regex jobTitle= "(?P\w+.\w+@\w+.\w+)" | regex orgName= "details (?P\w+)" | regex orgSegment= "(?\d{9})"|.....
Not working tried it.
thanks for the effort
Hi moiezuddin
Try this new request
source="/opt/www/logs/nbcucentral/nbcucentral.log" | rex "(?P\w+.\w+@\w+.\w+)" | rex "details (?P\w+)" | rex "(?\d{9})" | stats count by Name , Email , User_ID | lookup identity_lookup sso OUTPUT jobTitle orgName orgSegment parentOrgname userType|table Name Email User_ID jobTitle orgName orgSegment parentOrgname userType sso
Tell me if it work like you want
Hi cheimell,
The clear information given at below link
http://answers.splunk.com/answers/221255/how-to-build-a-dashboard-to-show-extracted-email-d.html
(Unable to copy that link some attributes missing so i given aove link)
At the end this link u can able to find one query, (Showing exact result )
to that query i need add some more fields to get result
The fields need to add are jobTitle orgName orgSegment parentOrgname userType
Kindly help on it
Hi Moiezuddin,
I think you'll find it really beneficial to use Splunks integrated field extractor.
You can literally highlight the fields you want to extract and Splunk will do it for you.
Here's some documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX
I also answered a question about the use of regex in Splunk which will help you here:
http://answers.splunk.com/answers/208288/need-help-with-regex-1.html#answer-207298
This way, you can see how to apply the rex
command and you can extract all the fields you want.
Good luck!
Hi Kendrickt,
Thanks for your explanation.
The problem is In sample data mentioned fields are not present, so unable to extract field
we have a lookup table name as identity_lookup in which the fields are present.
identity_lookup is present in lookup definition not in automatic lookup
With the help of identity_lookup table can you able to provide me query which can extract the requested fields
Can you help on it
Please share some sample data so we know where to find the requested fields.
HI ,
In sample data mentioned fields are not present
we have a lookup table name as identity_lookup in which the fields are present.
Can you help on it