Solved: How to get the assigned value of a macro with ":" ...

harshal_chakran · ‎11-12-2013

Hi,

I need to find the value of PLANDATA_TYPE from the given string in my logs

i.e. PLANDATA_TYPE: ASBFGH, PLANWORK: NotMentioned.

I should get output as ASBFGH when I search for value of PLANDATA_TYPE.
And similarly I should get value as NotMentioned for PLANWORK. The issue is they are not separated by "=" sign but by ":". Any ideas how to proceed?

jtrucks · ‎11-12-2013

Use an extract. Try:

… | rex field=_raw "PLANDATA_TYPE:\s(?<PLANDATA_TYPE>\w+),\sPLANWORK:(?<PLANWORK>\w+)"

--
Jesse Trucks
Minister of Magic

View solution in original post

sowings · ‎11-13-2013

If you can edit the props / transforms directly, this would work just fine with the following transform on your data:

[my_rule] DELIMS = ":", ","

The first signifies what separates a key from a value, and the second indicates what separates key=value pairs from each other.

jtrucks · ‎11-12-2013

Use an extract. Try:

… | rex field=_raw "PLANDATA_TYPE:\s(?<PLANDATA_TYPE>\w+),\sPLANWORK:(?<PLANWORK>\w+)"

--
Jesse Trucks
Minister of Magic

harshal_chakran · ‎11-13-2013

Thanks jtrucks and dolxor. It worked..!!!

jtrucks · ‎11-12-2013

fixed. Nice call 🙂

--
Jesse Trucks
Minister of Magic

dolxor · ‎11-12-2013

Hey jtrucks. Shouldn't there be a whitespace \s between the : and (?<.. or does Splunk trim this automatically when assigning the value to the fieldname?

How to get the assigned value of a macro with ":" (colon) as a seperator

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!