Extract fields with a regular expression

narabhut · ‎07-29-2013

I have fields in the format of LOG_ID, DEVICE_DATA, USERNAME, that I'd like to extract, and I'd like to exclude the default Splunk fields like _time, *_raw, and timeendpos, timestartpos, etc. Is that possible to do through the regex command? Can I chain that with table somehow?

aholzer · ‎07-29-2013

If you have "key=value" pairs, Splunk should be extracting them as a field by the name of "key" and the corresponding value "value".

You should be able to limit your searches by simply adding a the field = value as part of your search terms. (Example: "LOG_ID=12312")

If you are interested in displaying only certain fields in a table format, then piping into a table command and listing the fields you want is enough.

narabhut · ‎07-29-2013

The data in the fields can contain anything, so I don't think I can do filtering based on that. An example would be LOG_ID=12312 DEVICE_DATA="random stuff" USERNAME="DAVIDTEST"

dglinder · ‎07-29-2013

Can you update the quesiton with a specific example of the line you're extracting this data from? What data is in the "LOG_ID", "DEVICE_DATA", and "USERNAME" fields (numbers only, spaces, etc)?

Ayn · ‎07-29-2013

No, the regex command is used for filtering search results based on a regular expression. The rex command is used for extracting fields out of events though. Including/excluding fields is done using the fields command.

Based on your question it sounds like you should take a tour of how Splunk works. Field extractions are covered here: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime

And there's an excellent Splunk tutorial: http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial

Extract fields with a regular expression

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2