Hi
Our fields have a space between the field name and the information we want to .
The two searches I have tried are:
source="D:\Splunk\File.trc" AND (From: OR To: OR Subject:) | rex field=_raw "From: (?
search result
from="" to "" subject ""
source="D:\Splunk\FlightCentre\July 18th 2013 Files\TCLINKSM1.trc" AND From: | rex field=_raw ".*From: +(?
search result
from=""
Raw data looks like this (modified to take out dates etc) but relevant bit is below.
-> TranslateRFC1522 From: Person1 Surname
-> TranslateRFC1522 To: Person2 Surname
-> TranslateRFC1522 Subject: invoice # 52174 (24)
I think it's not returning anything as there is a space after the field(s) we are interested in extracting and before the data we want.
I tried the 2nd search with [a-z] after reading many, many Q&A's.
Does anyone know how I can find everything after the field searched up to an open bracket "("
Thanks
Two things: first, this what you need for the field extractions -
source="D:\Splunk\File.trc" AND ("From:" OR "To:" OR "Subject:")
| rex "From: (?<from>.*?) \("
| rex "To: (?<to>.*?) \("
| rex "Subject: (?<subject>.*?) \("
| table from, to, subject
The single rex
would only work if the From To and Subject were all on the same line, in that order with nothing between them. Above, the three rex
commands work independently.
Second, is your example of the raw data showing 3 events, or just a single multi-line event? If it is three events, then you probably want to group them before you do the table
command. (Not sure why you would want to use return
at all.) Try this:
source="D:\Splunk\File.trc" AND ("From:" OR "To:" OR "Subject:")
| rex "MailID: (?<mailID>\S+)"
| rex "From: (?<from>.*?) \("
| rex "To: (?<to>.*?) \("
| rex "Subject: (?<subject>.*?) \("
| transaction mailID
| table from, to, subject
I invented a field extraction for a mailID field, but perhaps you already have such a field in your data. Then I used the mailID in the transaction command to create the grouping.
Finally, I recommend creating permanent field extractions for these fields; I think you may want to use them often. The Interactive Field Extractor is an easy way to do this, or you could add the regular expressions directly to props.conf.
I think you need to study how Splunk breaks an input into events. Look at the Configure Event Linebreaking topic in the Getting Data In manual at
http://docs.splunk.com/Documentation/Splunk/latest/Data/Indexmulti-lineevents
If that doesn't help, I suggest that you also look at other questions about line-breaking at answers.splunk.com, and perhaps open another question describing your specific issue...
If I search on labels (From, to, subject) the search will return them on separate lines and the lines can be in the one event or can be scattered over one or more events. The lines I am after should follow each other closely, and I would have thought always be in the same event, however the reasons for SPLUNK's returned search split I haven't worked out yet.
Splunk (out of the box) creates events, not sure how it decides & why my relevant data is not in the selected, interesting or other fields.
Eg raw data: There may be more lines of data in between the relevant example lines. Sometimes the line is repeated and the only difference is a bracketed number, eg. (36). Bracketed numbers aren't relevent to me. I also need to be careful I do not pick up both lines of data and count things twice.
There is data before and after the relevant fields (on each line) that I haven't listed for privacy sake or not relevant to the search.
Thankyou - I am now going to digest & play with this. Will let you know how I get on.