Splunk Search

How to extract particular string in the data?

pench2k19
Explorer

Hi Team,

I m planning to collect the highlited text from the raw data as below

info : Detailed logging to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_us/log/./cnapp_generic_reformat_control_file_2019-04-10-06-35-06_**10471**.log
info : Detailed logging to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_us/log/./eapp_generic_publish_status_2019-04-10-06-35-11_11311.log
info : Detailed logging to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_us/log/./aiblk_linear_framework_us__msa104_gl_txn__feed_2019-04-10-06-35-58_18695.log
info : Detailed logging to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_us/log/./cnapp_process_acqit_log_files_2019-04-10-06-43-49_4398.log
info : Detailed logging to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_us/log/./eapp_generic_publish_status_2019-04-10-06-44-21_8468.log

Can you please help me wit regex expression for the same . thank you

@vnravikumar @jkat54

0 Karma

woodcock
Esteemed Legend

Try this:

|makeresults | eval _raw="apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_us/log/./cnapp_generic_reformat_control_file_2019-04-10-06-35-06_10471.log
info : Detailed logging to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_us/log/./eapp_generic_publish_status_2019-04-10-06-35-11_11311.log
info : Detailed logging to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_us/log/./aiblk_linear_framework_us_msa104_gl_txn_feed_2019-04-10-06-35-58_18695.log
info : Detailed logging to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_us/log/./cnapp_process_acqit_log_files_2019-04-10-06-43-49_4398.log
info : Detailed logging to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_us/log/./eapp_generic_publish_status_2019-04-10-06-44-21_8468.log"
| rex max_match=1 "_\d{4}(?:-\d{2}){5}_(?<log_number>\d+)\.log"
0 Karma

pench2k19
Explorer

thanks @woodcock ...but i cant use makeresults command in my query...do you have any alternative way to get this

0 Karma

woodcock
Esteemed Legend

The makeresults was to generate fake events to test your solution, which is only the last line.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Please try below regex, it will extract highlighted value in new field called ext_value

<yourBaseSearch> | rex field=_raw "_\d{4}-\d{2}-\d{2}-\d{2}-\d{2}-\d{2}_(?<ext_value>\d+)\.log"
0 Karma

pench2k19
Explorer

thanks for the resply @harsmarvania57 ....its matching with all the rows , but i need to extract the value only from first row.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Sample data which you have provided is single event only or those are different events ?

0 Karma

pench2k19
Explorer

its from single event.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Try this | rex field=_raw max_match=1 "^(?s)(?:[^\/]*[\/]){11}([^\d]*)\d{4}-\d{2}-\d{2}-\d{2}-\d{2}-\d{2}_(?<ext_value>\d+)\.log"

0 Karma

pench2k19
Explorer

its not working @harsmarvania57 marvania...actually my raw data is like this and its coming as single event... i need to extract the hightlighted value

[2019-04-15 06:12:26] Plan File: /apps/src/aasconap/prod/abinitio/cnapp/cnapp_src/cnapp_src_msp/pset/planpset/processing_plan.msp_master_708_936.pset
[2019-04-15 06:12:26] Recovery File: /apps_run_aasconap/prod/processing_plan.msp
master_708_936.rec
[2019-04-15 06:12:26] Beginning plan '/'
[2019-04-15 06:12:28] Method '/Get RUN_ID/perform' changed parameter 'RUN_ID' from '' to '28090'
[2019-04-15 06:12:43] Standard Output for '/Standardize control file/perform':
info : ++++ STARTED ++++ Job cnapp_generic_reformat_control_file_2019-04-15-06-12-43_7803
info : Central logging to /apps/dat/aasconap/prod/admin/log/environment_operations_2019_04.log
info : Raw tracking to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_msp/tracking/./cnapp_generic_reformat_control_file_2019-04-15-06-12-43_7803.tracking
info : Input pset archived to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_msp/parameter/./cnapp_generic_reformat_control_file_2019-04-15-06-12-43_7803.pset
info : Summary is not being collected
info : Error logging to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_msp/error/./cnapp_generic_reformat_control_file_2019-04-15-06-12-43_7803.err
info : Duplicating stderr
info : Detailed logging to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_msp/log/./cnapp_generic_reformat_control_file_2019-04-15-06-12-43
7803.log
[2019-04-15 06:12:46] Standard Output for '/Standardize control file/perform':
info : ++++ COMPLETED ++++ Job cnapp_generic_reformat_control_file_2019-04-15-06-12-43_7803
[2019-04-15 06:12:47] Method '/Set dynamic plan variables from control file/perform' changed parameter 'EFF_DATE' from '2019-04-14' to '2019-04-14'
[2019-04-15 06:12:48] Method '/Set dynamic plan variables from control file/perform' changed parameter 'DATA_READ_LOCATION' from '' to 'hdfs:/datalake/consumer/msp/raw/tmp/MSP_DELTA_PR708_936_MASTER_190414'
[2019-04-15 06:12:48] Method '/Set dynamic plan variables from control file/perform' changed parameter 'REC_CNT' from '' to '580157'
[2019-04-15 06:12:48] Method '/Set dynamic plan variables from control file/perform' changed parameter 'CNAPP_PUB_KEY_REG_PG' from 'PG777' to '708_936'
[2019-04-15 06:12:48] Standard Output for '/Set dynamic plan variables from control file/perform':
Successfully validated effective date format from control file (value = 2019-04-14)
[2019-04-15 06:12:51] Standard Output for '/Publish module start metadata/perform':
info : ++++ STARTED ++++ Job eapp_generic_publish_status_2019-04-15-06-12-50_8647
info : Central logging to /apps/dat/aasconap/prod/admin/log/environment_operations_2019_04.log
info : Raw tracking to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_msp/tracking/./eapp_generic_publish_status_2019-04-15-06-12-50_8647.tracking
info : Input pset archived to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_msp/parameter/./eapp_generic_publish_status_2019-04-15-06-12-50_8647.pset
info : Summary is not being collected
info : Error logging to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_msp/error/./eapp_generic_publish_status_2019-04-15-06-12-50_8647.err
info : Duplicating stderr
info : Detailed logging to /apps/dat/aasconap/prod/admin/cnapp/cnapp_src/cnapp_src_msp/log/./eapp_generic_publish_status_2019-04-15-06-12-50_8647.log

0 Karma

pench2k19
Explorer

@FrankVl can you help me here.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...