- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to fetch data using rex command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to fetch data using rex command
These are some below mentioned details which is present in splunk in exactly same format:-
New Core 12 Month CTE (2014)(HEROCN2 & HEROTV2)
Mix Core
Full House Core
Player Core
Fun Core
35% off Mix Core 12m (11887)
Full House Minor Core
Fun bundle
Full House Minor & Major Core
Full House Major Core
VIP Core
Strong kham Core
Strong Easy Core
Strong kham Minor Core
Strong Bang Core
3 for ??44 Triple Core
Strong kham Minor and Major Core
ATL Player Core (50mb & above) 12m discount 12m CTE (11957)
ACQ Strong kham Core TVXL/BBXXL/Phone M Triple with TiVo, 12 month offer (11768)
35% off Full House Core 12m (11888)
I wanted to fetch only these below mentioned names using rex command:-
Mix Core
Full House Core
Player Core
Fun Core
Full House Minor Core
Full House Major Core
VIP Core
Strong kham Core
Strong Easy Core
Strong kham Minor Core
Strong Bang Core
Could you please help me in creating the rex command which will only provide me the above mentioned details as a result.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@m7787580 - did you ever get a solution to this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like you are trying to extract all the values, but eliminate any values that have numbers or ampersands in them.
| rex field=_raw "name\>(?<CoreOffering>[^\<]+)" max_match=50
| eval CoreOffering = mvfilter(NOT match(CoreOffering,"[&0-9]"))
However, "Strong kham Minor and Major Core" is an exception. Did you want to get rid of that?
Use this at the end if six words (with spaces between them) is enough to disqualify a result...
| eval CoreOffering = mvfilter(NOT match(CoreOffering,"\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S"))
Use this at the end if the word " and " is enough to disqualify a result...
| eval CoreOffering = mvfilter(NOT match(CoreOffering,"\s+and\s+"))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are these a field values available in multiple events and you want to filter to keep only the events with field in format specified in your second list? What's your current search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes these fields are present in multiple events i just want to rex out above mentioned fields from them.
I tried to use below mentioned search
|rex field=_raw "name\>(?<CoreOffering>[^\<]+)" max_match=50|top CoreOffering limit=0|search CoreOffering =*Core*|rex field=CoreOffering "(?\w*\s*[^\C]+)"
But is not extracting the exact field name which i want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
|rex field=_raw "name\>(?<CoreOffering>[^\<]+)" max_match=50|top CoreOffering limit=0|search CoreOffering =*Core*|rex field=CoreOffering "^(?<FilteredCoreOffering>[A-z\s]+)$
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
