Splunk Search

Extract a substring and filter the results based on the extracted substring from incoming logs

nagar57
Communicator

I am pretty new to Splunk and finding a way to figure out below:
My incoming logs have a field message which contains String formatted value. e.g.

message="OVERALL_RESPONSE_TIME=43ms"
message="Correlation_id=123123hewgadkksksk"

Now I want to filter out messages which don't contain OVERALL_RESPONSE_TIME as a String and also extract OVERALL_RESPONSE_TIME as a field. I am looking for a single Eval expression to do so.

TIA

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm not sure one can do that with a single eval. Try this query. The regex command filters out events that don't contain OVERALL_RESPONSE_TIME and the rex command extracts OVERALL_RESPONSE_TIME as a field.

... | regex message!="OVERALL_RESPONSE_TIME=\d+ms" | rex field=message "OVERALL_RESPONSE_TIME=(?<responseTime>\d+)" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...