How to Extract the files - each line has different... - Splunk Community

Splunk Dev

I want to Extract the below ,

2018-01-08T04:43:00,700|[http-nio-9094-exec-10]|INFO|VM1|com.alb.bps.retrieval.service.DocumentRetrievalServiceImpl|DA4885B49C8376878C57DB952FD84E39|99aee0b4-f912-4526-a9af-6fb9c27c5fe0|USER1|Normal|IBD1|com.alb.bps.retrieval.service.DocumentRetrievalServiceImpl| DocId = 1470| Execution Time : 6097milliseconds

2018-01-08T05:01:03,183|[http-nio-9094-exec-7]|INFO|VM2|com.alb.bps.retrieval.service.DocumentRetrievalServiceImpl|01D362DD96D7E608E83023B02D5B9508|67a81da1-3810-4c66-9ce7-eb9c9732f8ea|null%40null|USER2|Normal|IBD2|com.alb.bps.retrieval.service.DocumentRetrievalServiceImpl| DocId = 1473| Execution Time : 715milliseconds

i m using the below syntax for extration, but it is not working as properly.

and also i want to extract the Execution time only for numbers i dont want to include the word milliseconds.

Can you please advice.
^(?P[^:]+)(?:[^|\n]|){3}(?P\w+)(?:[^|\n]|){4}(?P[^|]+)|\w+|(?P[^|]+)[^ \n]* (?P[^|]+)[^:\n]*:(?P\s+\d+[a-z]+)

Hi rajeswariramar,

please give this a look.

https://regex101.com/r/Z10lQg/3/

You can easily ajust this to your requirements. If you need more help, tell me.

Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...