- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract a string in a CSV where the field p...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract a string in a CSV where the field position can have multiple different values?
Hello -
I'm trying to extract a field from a CSV. The problem is the 9th position can have several different values. I need the field for the "700 Auth_Method_success" value. When I set up the field, I'm getting the "70..." alone with all the other possible values.
EXAMPLE
246436066,Application,SSH Tectia Server,INFORMATION,abc.def.ghi.com,9/13/2017 9:28:55 AM,0,None,"700 Auth_method_success, Username: custdm10/ECS-40ZV,
Thanks.
Carl
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how are you extracting the field?
Why can't you just use a , as delimiter since all fields are separated by commas in your sample. You can then rename field9 as whatever you want during extraction. I think you might have tried using regex extraction from the web and selected just '700 auth' field as a sample. This will only return this specific value only.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@johnca00, you need to add more details for your question and example.
Do you have issue with field name or field value at 9th position?
What are some of the different samples for 9th position?
Does it start with double quotes and does not have an ending double quote?
"700 Auth_method_success,
Please also explain what you mean by I'm getting the "70..." alone with all the other possible values
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the typo. During the field extract I'm seeing only the '700 auth....'. When I put the field into a search it's returning all possible values, not just the '700 auth...'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello -
Sorry for the typo. During the extract I see just the '700 Auth...." When I add the field to my search I'm see all the possible values.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
