How to extract particular data from a file and the...

Arminder_Bhalla · ‎10-16-2015

Hi

I have a flat file with the following data which is ingested in Splunk:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ABC Report

Date:2015-10-01

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FileName: xyz.123

File Processing Start Time:20151001 07:12:14

This file contains the following payments:

Mkt Bk Sender Id Cntry Curr Total Value Total Records
001 0700 2489 124 124 11443 7
001 0700 2685 124 124 39559 2
001 0700 2487 124 124 13408 76
001 0700 2891 124 124 76825 5
001 0700 2086 124 124 67606 5
001 0700 2083 124 124 39275 17
001 0700 2588 124 124 21101 7
CAN.EM.0072.0006
CAN.EM.0072.0007

File Processing End Time:20151001 07:12:14

I have to extract the highlighted data from the file and then assign it to different fields.

Can anyone help me on this?

jmallorquin · ‎10-16-2015

From the search you can use this regex:

| rex "(?\d+)\s+(?\d+)\s+(?\d+)\s+(?\d+)\s+(?\d+)\s+(?\d+)\s+(?\d+)"

If you want to make it persist, you can modified the props.conf

Another way could be to use transforms.conf with delims = " "
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Createandmaintainsearch-timefieldextract...

asimagu · ‎10-16-2015

I think this is what you need : multikv command

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/multikv

How to extract particular data from a file and then define fields from it?

FileName: xyz.123

File Processing End Time:20151001 07:12:14

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio