- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- splunk query to get data from the field and pass i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk query to get data from the field and pass it to another field
Hi , I want to extract field data and pass this data in different fields.
Data available in "Mark" field for a single event in splunk.
Mark = {"Time Zone/Geo Location","Distance_miles 600mi/Hour","over 1000km",.....}
The above is the data for 'Mark' field for an event. I want to extract data from Mark field and assign it to new fields "Mark1", "Mark2", "Mark3"
Mark1 = Time Zone/Geo Location
Mark2=Distance_miles 600mi/Hour
Mark3=over 1000km
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
| rex field=_raw "(?<mark1>I am C)"
mark1 is the field name and I am C is what you want to extract.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Mayurr, query working fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this run anywhere search
| makeresults
| eval data="Mark = {\"Time Zone/Geo Location\",\"Distance_miles 600mi/Hour\",\"over 1000km\"}"
| rex field=data "Mark\s=\s\{\"(?<mark1>[^\"]+)\",\"(?<mark2>[^\"]+)\",\"(?<mark3>[^\"]+)"
In your environment you should try
| rex field=_raw "Mark\s=\s\{\"(?<mark1>[^\"]+)\",\"(?<mark2>[^\"]+)\",\"(?<mark3>[^\"]+)"
This is only for first three fields but you can use similar approach for multiple fields as well.
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mayurr, Thanks for quick response, congrats as you are selected for splunk conf 2018.
Regarding the query, sorry, query did not work for me.
let me rephrase the question.
Mark field can have different data like
Mark={"I am P","I am Z","I am C","I am D",.....}
so now i want to take only "I am C" - not exactly the third place all the time from the field Mark and add it to a new field "Mark1". Please advise.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll need to explain a bit better then what exactly you want.
You say "not exactly the third place all the time", but what then defines which piece of the Mark field to put into Mark1?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Frank, I want to take "I am C" data from Mark field and add it to Mark1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still a bit confused, but I'd say: create a regex that matches what you expect as "I am C" and assign that to Mark1.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
