Getting Data In

Two different Deliminator for a field

AdixitSplunk
Path Finder

I have 2 types of Messages in my log
for 1st i want to split it from ":" deliminator
and for 2nd i want deliminator to be "for"

my base query is something like belwo :

.... Message1 OR Message2|eval delim=(if Message1, deliminator should be ":" ,if Message2 ,deliminator should be "for"| eval num=split(Message,"delim")|eval field=mvindex(num,0)|stats count by field

Please help me on this .

Thanks

Tags (2)
0 Karma

gokadroid
Motivator

How about you try this and take whichever one you are interested in out of preFix OR sufFix fields if your initial string is in field Message:

your query to return events
| rex field=Message "^(?<preFix>^.*?)(\s:\s|\sfor\s)(?<sufFix>.*)"
| table preFix, sufFix, Message

See here for the extraction at work. Notice the Group PreFix and Group SufFix on right sidebar after...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

.... Message1 OR Message2|eval delim=if(searchmatch("Message1"),split(Message,":"),split(Message,"for"))|eval field=mvindex(num,0)|stats count by field
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi AdixitSplunk,
why you don't use a regex extraction like this:

| rex "(:|for)\s(?<Message>.*)"

Bye.
Giuseppe

0 Karma

AdixitSplunk
Path Finder

Its not working 😞 , its only showing the last
Message are like :
Application photobuf message : dhfksdhkfhksdhfk hdfkshfskhfk dfhkshdfkshfhs
Application Data loaded successfully for Photo No - 123456789 ; OrderIPlaceno - 987654321

using | rex "(:|for)\s(?.)" is giving Photo No -1234

0 Karma

gcusello
SplunkTrust
SplunkTrust

modify regex

| rex max_match=0 "(:|for)\s(?<Message>.*)"

see https://regex101.com/r/nGhrLA/1

Bye.
Giuseppe

0 Karma

Arun_N_007
Communicator

Use match or like inside if condition to find message type based on that set the delim.

..| eval delim = if(like(_raw,"%:%"),":","for")

0 Karma

AdixitSplunk
Path Finder

can you please help me with the syntax here .

0 Karma

Arun_N_007
Communicator

|stats count|eval _raw="Application photobuf message : dhfksdhkfhksdhfk hdfkshfskhfk dfhkshdfkshfhs"|append [|stats count|eval _raw="Application Data loaded successfully for Photo No - 123456789 ; OrderIPlaceno - 987654321"]| eval delim = if(like(_raw,"%:%"),":","for")|eval _raw=split(_raw,delim)|eval split1=mvindex(_raw,0)|eval split2=mvindex(_raw,1)

0 Karma

jplumsdaine22
Influencer

Do you have some sample data? Are message1 and message2 text strings or field names? Are they in a field or do you need to extract from raw?

0 Karma

AdixitSplunk
Path Finder

Field name is Message.From Message1 and 2 i means to say different type of message.
So there are basically 2 types of Messages in field Message
Example :
1st Applicatio photobuf message : dfgjsdgfjsgd gsdkgfksdgf ksdgfksdgfk s--- for such message i want ":" as delim
2nd Application2:Photoinserted to somesets for an Account--- for these messages i want "for" as delim

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...