How to extract values from within a field?

nitz13 · ‎04-17-2018

I have events of the following format:

 {  [-]      
         log:    2018-04-16 11:33:09 INFO  Report:46 - Number of Records read from Input File [10000] , number of records Posted [10000] to topic [completed.processing]
     stream:     stdout 

 time:   2018-04-16T16:33:09.36532399Z  

} }

Log is an extracted field and I want to extract the values "Number of records read from Input file and number of records posted" from within the field log and display it as a table of the following format:
Number of Input Records . Number of records posted
10000 10000

kmaron · ‎04-17-2018

You should be able to use a regular expression to pull out the number of input records and number of records posted. Then make a table from them.

| makeresults 
| eval log="2018-04-16 11:33:09 INFO  Report:46 - Number of Records read from Input File [10000] , number of records Posted [10000] to topic " 
| rex field=log "Number of Records read from Input File \[(?<InputRecords>.*?)\] , number of records Posted \[(?<PostedRecords>.*?)\] to topic" 
| rename InputRecords as "Number of Input Records" PostedRecords as "Number of Records Posted" 
| table "Number of Input Records" "Number of Records Posted"

How to extract values from within a field?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!