Solved: How do I extract a whole sentence as a field from ...

shubhambhagat02 · ‎10-15-2018

I want to generate a report by using a log file as an input. The log file is like:

01/16/2018   process 1 successful 
01/16/2018  process 2 successful  
01/16/2018  process 3 successful

I want "process 2 successful" as a field so that I can use the transforming command to generate a report.

Vijeta · ‎10-16-2018

Please use _raw instead of x

View solution in original post

Vijeta · ‎10-16-2018

Please use _raw instead of x

Vijeta · ‎10-15-2018

you can use rex command to extract the desired text

rex field=x "^\S+ (?<text>\w+\s+\d+\s+\w+)"

See the example below-

 | makeresults 
    |  eval x="2018/12/09 process 1 successful"
    | appendpipe
        [| eval x="2018/12/09 process 2 successful"
        | appendpipe
            [| eval x="2018/12/09 process 3 successful"]]
    |  rex field=x "^\S+ (?<text>\w+\s+\d+\s+\w+)"

shubhambhagat02 · ‎10-16-2018

Thanks for answer.

I tried following your example rex field=x "^\S+ (?\w+\s+\d+\s+\w+)" but still i am not able to extract the fields.

How do I extract a whole sentence as a field from a log file and generate a report?

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2