Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract data (email address, subject) between two blank spaces that are after the field identifier - eg From:

suepfarrell
New Member
‎08-07-2013 07:28 PM

Hi

Our fields have a space between the field name and the information we want to .

The two searches I have tried are:

source="D:\Splunk\File.trc" AND (From: OR To: OR Subject:) | rex field=_raw "From: (?.) To: (?.) Subject: (?.*)" | return from, to, subject

search result
from="" to "" subject ""

source="D:\Splunk\FlightCentre\July 18th 2013 Files\TCLINKSM1.trc" AND From: | rex field=_raw ".*From: +(? [a-z]+)" | return from

search result
from=""

Raw data looks like this (modified to take out dates etc) but relevant bit is below.

-> TranslateRFC1522 From: Person1 Surname (50)

-> TranslateRFC1522 To: Person2 Surname (65)

-> TranslateRFC1522 Subject: invoice # 52174 (24)

I think it's not returning anything as there is a space after the field(s) we are interested in extracting and before the data we want.

I tried the 2nd search with [a-z] after reading many, many Q&A's.

Does anyone know how I can find everything after the field searched up to an open bracket "("

Thanks

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎08-08-2013 12:39 PM

Two things: first, this what you need for the field extractions -

source="D:\Splunk\File.trc" AND ("From:" OR "To:" OR "Subject:") 
| rex "From: (?<from>.*?) \(" 
| rex "To: (?<to>.*?) \(" 
| rex "Subject: (?<subject>.*?) \(" 
| table from, to, subject

The single rex would only work if the From To and Subject were all on the same line, in that order with nothing between them. Above, the three rex commands work independently.

Second, is your example of the raw data showing 3 events, or just a single multi-line event? If it is three events, then you probably want to group them before you do the table command. (Not sure why you would want to use return at all.) Try this:

source="D:\Splunk\File.trc" AND ("From:" OR "To:" OR "Subject:") 
| rex "MailID: (?<mailID>\S+)"
| rex "From: (?<from>.*?) \(" 
| rex  "To: (?<to>.*?) \(" 
| rex  "Subject: (?<subject>.*?) \(" 
| transaction mailID
| table from, to, subject

I invented a field extraction for a mailID field, but perhaps you already have such a field in your data. Then I used the mailID in the transaction command to create the grouping.

Finally, I recommend creating permanent field extractions for these fields; I think you may want to use them often. The Interactive Field Extractor is an easy way to do this, or you could add the regular expressions directly to props.conf.

0 Karma
Reply

lguinn2
Legend
‎08-15-2013 06:32 PM

I think you need to study how Splunk breaks an input into events. Look at the Configure Event Linebreaking topic in the Getting Data In manual at
http://docs.splunk.com/Documentation/Splunk/latest/Data/Indexmulti-lineevents

If that doesn't help, I suggest that you also look at other questions about line-breaking at answers.splunk.com, and perhaps open another question describing your specific issue...

0 Karma
Reply

suepfarrell
New Member
‎08-13-2013 10:10 PM

If I search on labels (From, to, subject) the search will return them on separate lines and the lines can be in the one event or can be scattered over one or more events. The lines I am after should follow each other closely, and I would have thought always be in the same event, however the reasons for SPLUNK's returned search split I haven't worked out yet.

0 Karma
Reply

suepfarrell
New Member
‎08-13-2013 10:09 PM

Splunk (out of the box) creates events, not sure how it decides & why my relevant data is not in the selected, interesting or other fields.

Eg raw data: There may be more lines of data in between the relevant example lines. Sometimes the line is repeated and the only difference is a bracketed number, eg. (36). Bracketed numbers aren't relevent to me. I also need to be careful I do not pick up both lines of data and count things twice.

There is data before and after the relevant fields (on each line) that I haven't listed for privacy sake or not relevant to the search.

0 Karma
Reply

suepfarrell
New Member
‎08-13-2013 09:12 PM

Thankyou - I am now going to digest & play with this. Will let you know how I get on.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...