Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Newbie Splunk Field Extraction Question

jcman01
Engager
‎10-15-2012 11:23 AM

I have a log entry that looks like this. I am talked with coming up with a quick-and-dirty financial report to report net sales. Can someone tell me where to start doing this? Do I build a report and use field extraction? The values I want to look for are, or course, "Net Sales", and then capture the dollar amound after that. I would like to just get a list of the 

ThreadName=Thread-2;|12:26:21,680  INFO OrderController:126 - Net sales per order: 362.15
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

RicoSuave
Builder
‎10-15-2012 11:38 AM

The easiest way to extract that field will be to use the rex command in search. This should give you what you want:

<yoursearch> | rex field=_raw "order:\s(?<netsales>\d+.?\d+)"

That should extract that dollar amount into a field called netsales. This is assuming that the dollar amount is always preceded by order:

View solution in original post

Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎10-15-2012 01:46 PM

You can make that a permanent field extraction by selecting the specific event and building the extraction with the extract fields from the pull down next to each log line or you can:

create a props.conf for that sourcetype and in it put this in it:

props.conf
[YOURSOURCETYPE]
EXTRACT-myextraction = order:\s(?\d+.?\d+)

Or

create a props.conf and a transforms.conf

props.conf
[YOURSOURCETYPE]
REPORT-myextraction = myfieldextraction

transforms.conf
[myfieldextraction]
REGEX = order:\s(?\d+.?\d+)

Reply
Solved! Jump to solution
Solution

RicoSuave
Builder
‎10-15-2012 11:38 AM

The easiest way to extract that field will be to use the rex command in search. This should give you what you want:

<yoursearch> | rex field=_raw "order:\s(?<netsales>\d+.?\d+)"

That should extract that dollar amount into a field called netsales. This is assuming that the dollar amount is always preceded by order:

Reply
Solved! Jump to solution

ptanner
New Member
‎10-16-2012 03:44 AM

This usually works. However, it wouldn't extract anything with an input like

ThreadName=Thread-2;|12:26:21,680 INFO OrderController:126 - Net sales per order: 3

since the regex asks for at least two digits. Also, you need to escape the point. Maybe something like this would be better:

| rex field=_raw "order:\s+(?\d+(?:\.\d+)?)"

This allows for an arbitrary number (>0) of whitespaces.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...