A have a field called RAW_DATA with the following value, for example:
121014102709300701296259621803001024193524000100000001042000000000010400000004360000000000A000198799600476498796150501
I want to extract the portion bellow between spaces and '[' and ']':
121014102709300701296259621803001024193524000100000001042000000000010400000004360000000000A [000198799600] 476498796150501
How can I achieve this creating a new field extraction?
Try this:
<your index / sourcetypes> | rex field=RAW_DATA "\d+A(?<number_extracted>\d{12})\d+"
This should extract your portion in to a new field (number_extracted).
Try this:
<your index / sourcetypes> | rex field=RAW_DATA "\d+A(?<number_extracted>\d{12})\d+"
This should extract your portion in to a new field (number_extracted).
If RAW_DATA is an existing field, then you can use the calculated fields to extract your 12 digit number as well.
From Splunk UI, go to Settings->Fields->Calculated fields->New. Select appropriate Destination app and sourcetype. Give a name and put this as eval expression
replace(RAW_DATA,"(\w{91})(\d{12})(.*)","\2")
For more details and doing the same from props.conf, see this
http://docs.splunk.com/Documentation/Splunk/6.1.4/Knowledge/definecalcfields
It works, thank you!
And how can I use it in Field Extractor Page?
Can you post your full log??
Just in case your 12 digit number is not always followed by letter "A", then you can use this
Your base search | rex field=RAW_DATA "\w{91}(?<number_extracted2>\d{12})\d+"
Yes! Always I need the same portion. The RAW_DATA length is fixed, and I need to extract this 12 numbers from this same position. More examples of data are:
(i)
161014102709295401500539001199001000637589000100000000600000000000006000000012460000000000A000198799601086268715200355...PLAIN TEXT WITH NOT IMPORTANT INFORMATION
(ii)
121014102709300802337162776343000002007797000100000000600000000000006000000047620000000000A000198799605339436725490508PLAIN TEXT WITH NOT IMPORTANT INFORMATION
Do you always have to extract the same portion? (000198799600) Do you have more sample data?