Splunk Search

How to extract a field from a single line text file and chart or graph the results?

jonzhong
New Member

Hi

I manage to load my directory into splunk. Its a directory of multiple single line .txt file. Splunk is able to read all the file and the time stamp correctly. How can i plot a graph or chart?

I have a single line text file. the content is as of below:

ID,FFM004-9999-01,MID,18M,D1,02/10/2012,T1,17:10:33.419,FC01,STARTUP,FD01,NIL,UC01,25911.00,UC02,40685.00,OC01,29.00,OC02,31.00,OC03,22.00,OC04,20.00

Those in bold are the tag and the value of the tag is after the comma. If I there are 10 .txt file and I want to plot a graph or chart for UC01 of all 10 files, how do I do it?

Please advise.

0 Karma

srioux
Communicator

Alrighty. So, for this one, I wanted to make sure it was dynamic enough to take into account new fields created/removed from the raw data, and also do the field extractions from the events, assuming that the CSV-delineated events won't have headers across the number of files.

Pull in your base search, then I used in-line SED to match & replace the first (and every other) comma with an equal sign. We then feed it into an 'extract' command to pull out the necessary fields. From there, your stats command will vary based on what you want to showcase; in the sample search below, I just did an average of UC01 by ID.

base search... | rex mode=sed "s/(.*?),(.*?,)/\1=\2/g" | extract pairdelim="," kvdelim="=" | stats avg(UC01) AS Average by ID
0 Karma

jonzhong
New Member

thanks for your input
but i can't treat all "," as an "="
e.g.
UC01,25911.00*,*UC02,40685.00
i definitely can't treat this comma as an equal, its to differentiate the next tag

0 Karma

srioux
Communicator

Fair enough. The next suggestion would be that you do field extractions based on fields you know exist and want to pull out of your record (i.e. UC01). For example, an in-line extraction would be:

base search... | rex "UC01,(?<UC01>.*?),"

Overview in docs here:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Addfieldsatsearchtime

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...