INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:EXCEL
Above is my search result, and I wanna extract the word 'Start' alone. Like using 'awk' in bash. How do I do this in splunk?
Since you wanted to work it like awk and looking at your new data:
awk '{print $6}'
, so use the field index6
after applying the rex as below to get that:
your base query
| rex "^(?<index1>[\S]+)\s(?<index2>[\S]+)\s(?<index3>[\S]+)\s(?<index4>[\S]+)\s(?<index5>[\S]+)\s(?<index6>[\S]+)\s(?<index7>[\S]+)\s(?<index8>[\S]+)\s(?<index9>[\S]+)\s(?<index10>[\S]+)\s(?<index11>[\S]+)\s(?<index12>[\S]+)\s(?<index13>[\S]+)"
|stats count by index6
See here OR
":"
comes as the first word of awk -F":" '{print $4}'
which needs another pipe of awk '{print $1}'
since "Start" is the first word of 4th index, hence find that piece as index4
below after applying rex:
...| rex "^(?<index1>[^\:]+)\:(?<index2>[^\:]+)\:(?<index3>[^\:]+)\:\s(?<index4>[\S]+)\s(?<index5>[^\:]+)\:(?<index6>[^\:]+)\:(?<index7>[^\:]+)\:(?<index8>[^\:]+)\:\s*(?<index9>[^\s]+)"
| stats count by index4
See here.Try this.
... | rex "INFO\s:\s(?<action>[^\s]+)" | ...
It is not working. I want only 'Start' to be displayed in the below line
2016-11-04 06:32:50,120 [http-bio-8443-exec-10862] INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:HTML, Locale: en_US
On regex101.com, that rex command puts "Start" into the 'action' field.
How about this (extracting as field Action)
your base search | rex "^\w+\s*:\s*(?<Action>\w+)"
Updated per latest sample data
your base search | rex "^(\S+\s){4}:\s(?<Action>\w+)"
Sample event
2016-11-04 06:32:50,120 [http-bio-8443-exec-10862] INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:HTML, Locale: en_US
But it is not displaying the string 'Start' alone. It displays the whole result 😞 I want it to display only 'Start'
I think what @somesoni2 has as regex will capture what u need in "Action" field. Can u see here that his regex works the way you want it, unless ur data is something else than the one u posted in question.
Okay.
Here is the correct data.
2016-11-04 06:32:50,120 [http-bio-8443-exec-10862] INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:HTML, Locale: en_US
I want the only 'Start' string to be displayed in the results. How could we do that @gokadroid @somesoni2 ?
What is your current search? Do you want just "Start" or any word (like "Done") in that position?
For the latter, try
... | rex ":\s+(?<start>\w+)" | ...