Solved: How to extract the single field with the multiple ...

marisstella · ‎07-09-2019

Hiiii
How to extract the single field with multiple values?
Like status is active, failed, cancelled, deactivated, forwarded, reversed
I have created a regex but it is only looking for active not for remaining status...

tiagofbmm · ‎07-09-2019

I used your data to formulate a sample test.

   | rex field=a "newstp - (?<status>\S*)

Tell me if this works

View solution in original post

tiagofbmm · ‎07-09-2019

| rex field=a "\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\,\d{3}\"\;\"(?<field1>[^\"]*)\"\;\"(?<field2>[^\"]*)\"\;\".*\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\,\d{3}\"\;\"\d*\"\;\"(?<field3>[^\"]*)"

marisstella · ‎07-13-2019

Hiii tiagofbmm,
I posted a new query, I didn't get a correct response from anyone.. I hope, you will answer to my query..
I have created the fields like A B C.... Now I want to merge A and B fields by creating new field...
Like D=A+B... Can I get any idea on this???

I tried doing this like | eval report= A. "-" .B this is working but we can't run SPL Query everytime...

tiagofbmm · ‎07-09-2019

I used your data to formulate a sample test.

   | rex field=a "newstp - (?<status>\S*)

Tell me if this works

marisstella · ‎07-09-2019

If you don't mind can you also help on more two fields?

tiagofbmm · ‎07-09-2019

shoot, I'll help if I can

tiagofbmm · ‎07-09-2019

could you paste here a sample of the data you're looking at?

How to extract the single field with the multiple values?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!