actual data is like in place of
A is running;
b is running;
c is running;
D is stopped;
E is unreachable

is
'aaaa bbbb cccc dddd' (1234) is running.
'akdg ytdf tyui tyhj' (1245) is running.
.
.
.like this
so i have to capture only:- aaaa bbbb cccc dddd running in two different field. similary other values.

Then simply change the regex to:

| rex "\'(?<who>[^\']+)\'.+?(?<status>\w+)$"

none of the solution work out....:(

Can you post the query here?

This works fine for me:

| makeresults | fields - _time
| eval sample = "
'aaaa bbbb cccc dddd' (1234) is running;
'akdg ytdf tyui tyhj' (1245) is running
"
| eval sample = split(sample, ";")
| mvexpand sample
| rex field=sample "\'(?<who>[^\']+)\'.+?(?<status>\w+)$"
| table who, status

Output:

may i know which version of splunk you are using.....

Splunk Enterprise 6.4.1

mine is splunk 6.2.5....would it be reason of not showing the output??

Could be the makeresults as I don't know when it was implemented, try this instead:

 | stats count | fields - count
 | eval sample = "
 'aaaa bbbb cccc dddd' (1234) is running;
 'akdg ytdf tyui tyhj' (1245) is running
 "
 | eval sample = split(sample, ";")
 | mvexpand sample
 | rex field=sample "\'(?<who>[^\']+)\'.+?(?<status>\w+)$"
 | table who, status

Thanks Javiergn.....this query really works. so stats is working in place of "makeresults".
Sorry for delay in response.

I want time should be one of the table column too in the output.

Hi,

If you want time to be there too simply change the last line form:

| table who, status

To:

| table _time, who, status

By the way, once you are happy with the information provided, please don't forget to mark one of the answers here as answered in order to close this off and allow others to benefit from it.

Thanks,
J

I did that before putting this query. As it is sample event so the query not able to populate the _time column.

Is it possible to make this query a dynamic. Dynamic means query pick the "sample" from incoming events. As the "sample" make it static even if status will change it wont get reflect in the output.

Post that i think _time column would get populate with the value

didn't work

When say didn't work what do you mean. Were you able to go to the link I provided. That has the data and regex that shows how the fields have been captured. Are you saying that the fields are not captured correctly or that you were not able to get to the link?

i opened that link. I used the rex expression created by that online regex tool. When i used that expression in my search query no data is showing in output.

My query is is there any other reason that data is unable to extract from the event and get populate into the field.

As you can see in the online tool, the regex matches the data sample you provided.

The only reason I can think of is there's something that's getting lost when you're masking the data.

Did you try copying your data in the online tool to see if the regex works? If it doesn't, on the right of that page, you will see explanation, paste that over here.

OR

Can you share the actual event without modifying anything.

i have paste my data there it capture the right field.....i cnt paste my original data due to client data protection.

But when i used same in the search query its throwing no result found.

Can you share the query you are using. Without any changes.

@Tannawi.Chauhan try my updated answer