Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Newbie Splunk Field Extraction Question

jcman01
Engager
‎10-15-2012 11:23 AM

I have a log entry that looks like this. I am talked with coming up with a quick-and-dirty financial report to report net sales. Can someone tell me where to start doing this? Do I build a report and use field extraction? The values I want to look for are, or course, "Net Sales", and then capture the dollar amound after that. I would like to just get a list of the 

ThreadName=Thread-2;|12:26:21,680  INFO OrderController:126 - Net sales per order: 362.15
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

RicoSuave
Builder
‎10-15-2012 11:38 AM

The easiest way to extract that field will be to use the rex command in search. This should give you what you want:

<yoursearch> | rex field=_raw "order:\s(?<netsales>\d+.?\d+)"

That should extract that dollar amount into a field called netsales. This is assuming that the dollar amount is always preceded by order:

View solution in original post

Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎10-15-2012 01:46 PM

You can make that a permanent field extraction by selecting the specific event and building the extraction with the extract fields from the pull down next to each log line or you can:

create a props.conf for that sourcetype and in it put this in it:

props.conf
[YOURSOURCETYPE]
EXTRACT-myextraction = order:\s(?\d+.?\d+)

Or

create a props.conf and a transforms.conf

props.conf
[YOURSOURCETYPE]
REPORT-myextraction = myfieldextraction

transforms.conf
[myfieldextraction]
REGEX = order:\s(?\d+.?\d+)

Reply
Solved! Jump to solution
Solution

RicoSuave
Builder
‎10-15-2012 11:38 AM

The easiest way to extract that field will be to use the rex command in search. This should give you what you want:

<yoursearch> | rex field=_raw "order:\s(?<netsales>\d+.?\d+)"

That should extract that dollar amount into a field called netsales. This is assuming that the dollar amount is always preceded by order:

Reply
Solved! Jump to solution

ptanner
New Member
‎10-16-2012 03:44 AM

This usually works. However, it wouldn't extract anything with an input like

ThreadName=Thread-2;|12:26:21,680 INFO OrderController:126 - Net sales per order: 3

since the regex asks for at least two digits. Also, you need to escape the point. Maybe something like this would be better:

| rex field=_raw "order:\s+(?\d+(?:\.\d+)?)"

This allows for an arbitrary number (>0) of whitespaces.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...