Splunk Search

Extracting a string from the search result

zeewagon
Engager

INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:EXCEL

Above is my search result, and I wanna extract the word 'Start' alone. Like using 'awk' in bash. How do I do this in splunk?

0 Karma

gokadroid
Motivator

Since you wanted to work it like awk and looking at your new data:

  1. Your word when separated by spaces comes at awk '{print $6}', so use the field index6 after applying the rex as below to get that: your base query | rex "^(?<index1>[\S]+)\s(?<index2>[\S]+)\s(?<index3>[\S]+)\s(?<index4>[\S]+)\s(?<index5>[\S]+)\s(?<index6>[\S]+)\s(?<index7>[\S]+)\s(?<index8>[\S]+)\s(?<index9>[\S]+)\s(?<index10>[\S]+)\s(?<index11>[\S]+)\s(?<index12>[\S]+)\s(?<index13>[\S]+)" |stats count by index6 See here

OR

  1. Your word when separated by ":" comes as the first word of awk -F":" '{print $4}' which needs another pipe of awk '{print $1}'since "Start" is the first word of 4th index, hence find that piece as index4 below after applying rex: ...| rex "^(?<index1>[^\:]+)\:(?<index2>[^\:]+)\:(?<index3>[^\:]+)\:\s(?<index4>[\S]+)\s(?<index5>[^\:]+)\:(?<index6>[^\:]+)\:(?<index7>[^\:]+)\:(?<index8>[^\:]+)\:\s*(?<index9>[^\s]+)" | stats count by index4 See here.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this.

... | rex "INFO\s:\s(?<action>[^\s]+)" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

zeewagon
Engager

It is not working. I want only 'Start' to be displayed in the below line

2016-11-04 06:32:50,120 [http-bio-8443-exec-10862] INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:HTML, Locale: en_US

0 Karma

richgalloway
SplunkTrust
SplunkTrust

On regex101.com, that rex command puts "Start" into the 'action' field.

---
If this reply helps you, Karma would be appreciated.
0 Karma

somesoni2
SplunkTrust
SplunkTrust

How about this (extracting as field Action)

your base search | rex "^\w+\s*:\s*(?<Action>\w+)"

Updated per latest sample data

your base search | rex "^(\S+\s){4}:\s(?<Action>\w+)" 

Sample event

2016-11-04 06:32:50,120 [http-bio-8443-exec-10862] INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:HTML, Locale: en_US
0 Karma

zeewagon
Engager

But it is not displaying the string 'Start' alone. It displays the whole result 😞 I want it to display only 'Start'

0 Karma

gokadroid
Motivator

I think what @somesoni2 has as regex will capture what u need in "Action" field. Can u see here that his regex works the way you want it, unless ur data is something else than the one u posted in question.

0 Karma

zeewagon
Engager

Okay.
Here is the correct data.

2016-11-04 06:32:50,120 [http-bio-8443-exec-10862] INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:HTML, Locale: en_US

I want the only 'Start' string to be displayed in the results. How could we do that @gokadroid @somesoni2 ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is your current search? Do you want just "Start" or any word (like "Done") in that position?

For the latter, try

... | rex ":\s+(?<start>\w+)" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...