Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract filed from text File

shugup2923
Path Finder
‎07-16-2019 11:35 PM

Hi All,
I am reading text file from one of the server using UF, data in splunk looks like -

Total expected size 1042532502 MB
Name: (state) Number of copies: Size:

SLP-MEDIUM-DDX1_CATALOG_2W (inactive) 4 111676 MB
SLP-MEDIUM-DDX1_MSDP_CATALOG_2W (inactive) 17 1292279 MB
SLP-MEDIUM-DDXi_2W-DC2DXi_1M (inactive) 514 81442047 MB
SLP-MEDIUM-DDXi_2W-DC2DXi_1M_DC1 (inactive) 4746 525210649 MB
SLP-MEDIUM-DDXi_2W-DC2DXi_1MDC1 (inactive) 100 15054931 MB
SLP-MEDIUM-DDXi_3M-DC2DXi_1Y (inactive) 22 7815733 MB
SLP-MEDIUM-DDXi_3M-DC2DXi_1YDC1 (inactive) 9 1419550 MB
SLP-MEDIUM-DDX1_MSDP_CATALOG_2W (inactive) 6 <1 MB
SLP-MEDIUM-DDXi_2W-DC1DXi_1M (inactive) 74 8478513 MB
SLP-MEDIUM-DDXi_2W-DC1DXi_1MDC2 (inactive) 1196 105875404 MB
SLP-MEDIUM-DDXi_2W-DC1DXi_1MDC2 (inactive) 159 15961308 MB
SLP-MEDIUM-DDXi_3M-DC1DXi_1Y_DC2 (inactive) 50 3037526 MB
SLP-MEDIUM-DA_2W-DP2A_1M (active) 1170 25512602 MB
SLP-MEDIUM-DA_2W-DP2A_5W (inactive) 179 1939354 MB
SLP-MEDIUM-DD_2W-DP2D_1M (active) 3274 37605665 MB
SLP-MEDIUM-DE_2W-DP2E_1M (active) 990 90378841 MB
SLP-MEDIUM-DA_2W-DP1A_1M (active) 816 20788679 MB
SLP-MEDIUM-DA_2W-DP1A_5W (inactive) 56 168606 MB
SLP-MEDIUM-DD_2W-DP1D_1M (active) 2503 12663760 MB
SLP-MEDIUM-DE_2W-DP1E_1M (active) 816 87799167 MB

I need to extract fields out of this data such as Total expected size, Name: (state) ,Number of copies,Size

Any method to extract it out, please let me know ?

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎07-17-2019 04:16 AM

hello there,
you can use | rex command as shown below, or use the field extractor, see link:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/ExtractfieldsinteractivelywithIFX
you might have some challenges with the <1 value that will need extra work, highlighted in the screenshot

| makeresults count=1
| eval data = "SLP-MEDIUM-DDX1_CATALOG_2W (inactive) 4 111676 MB;;;SLP-MEDIUM-DDX1_MSDP_CATALOG_2W (inactive) 17 1292279 MB;;;SLP-MEDIUM-DDXi_2W-DC2DXi_1M (inactive) 514 81442047 MB;;;SLP-MEDIUM-DDXi_2W-DC2DXi_1M_DC1 (inactive) 4746 525210649 MB;;;SLP-MEDIUM-DDXi_2W-DC2DXi_1MDC1 (inactive) 100 15054931 MB;;;SLP-MEDIUM-DDXi_3M-DC2DXi_1Y (inactive) 22 7815733 MB;;;SLP-MEDIUM-DDXi_3M-DC2DXi_1YDC1 (inactive) 9 1419550 MB;;;SLP-MEDIUM-DDX1_MSDP_CATALOG_2W (inactive) 6 <1 MB;;;SLP-MEDIUM-DDXi_2W-DC1DXi_1M (inactive) 74 8478513 MB;;;SLP-MEDIUM-DDXi_2W-DC1DXi_1MDC2 (inactive) 1196 105875404 MB;;;SLP-MEDIUM-DDXi_2W-DC1DXi_1MDC2 (inactive) 159 15961308 MB;;;SLP-MEDIUM-DDXi_3M-DC1DXi_1Y_DC2 (inactive) 50 3037526 MB;;;SLP-MEDIUM-DA_2W-DP2A_1M (active) 1170 25512602 MB;;;SLP-MEDIUM-DA_2W-DP2A_5W (inactive) 179 1939354 MB;;;SLP-MEDIUM-DD_2W-DP2D_1M (active) 3274 37605665 MB;;;SLP-MEDIUM-DE_2W-DP2E_1M (active) 990 90378841 MB;;;SLP-MEDIUM-DA_2W-DP1A_1M (active) 816 20788679 MB;;;SLP-MEDIUM-DA_2W-DP1A_5W (inactive) 56 168606 MB;;;SLP-MEDIUM-DD_2W-DP1D_1M (active) 2503 12663760 MB;;;SLP-MEDIUM-DE_2W-DP1E_1M (active) 816 87799167 MB"
| makemv delim=";;;" data 
| mvexpand data
| rename COMMENT as "above generates sample data, below is your rex"
| rex field=data "(?<Name>[^\s]+)\s\((?<state>[^\)]+)\)\s(?<number_of_copies>[^\s]+)\s(?<size>[^\s]+)\s(?<size_unit>[^\s]+)"

screenshot:
alt text

hope it helps

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...