Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract filed from text File

shugup2923
Path Finder
‎07-16-2019 11:35 PM

Hi All,
I am reading text file from one of the server using UF, data in splunk looks like -

Total expected size 1042532502 MB
Name: (state) Number of copies: Size:

SLP-MEDIUM-DDX1_CATALOG_2W (inactive) 4 111676 MB
SLP-MEDIUM-DDX1_MSDP_CATALOG_2W (inactive) 17 1292279 MB
SLP-MEDIUM-DDXi_2W-DC2DXi_1M (inactive) 514 81442047 MB
SLP-MEDIUM-DDXi_2W-DC2DXi_1M_DC1 (inactive) 4746 525210649 MB
SLP-MEDIUM-DDXi_2W-DC2DXi_1MDC1 (inactive) 100 15054931 MB
SLP-MEDIUM-DDXi_3M-DC2DXi_1Y (inactive) 22 7815733 MB
SLP-MEDIUM-DDXi_3M-DC2DXi_1YDC1 (inactive) 9 1419550 MB
SLP-MEDIUM-DDX1_MSDP_CATALOG_2W (inactive) 6 <1 MB
SLP-MEDIUM-DDXi_2W-DC1DXi_1M (inactive) 74 8478513 MB
SLP-MEDIUM-DDXi_2W-DC1DXi_1MDC2 (inactive) 1196 105875404 MB
SLP-MEDIUM-DDXi_2W-DC1DXi_1MDC2 (inactive) 159 15961308 MB
SLP-MEDIUM-DDXi_3M-DC1DXi_1Y_DC2 (inactive) 50 3037526 MB
SLP-MEDIUM-DA_2W-DP2A_1M (active) 1170 25512602 MB
SLP-MEDIUM-DA_2W-DP2A_5W (inactive) 179 1939354 MB
SLP-MEDIUM-DD_2W-DP2D_1M (active) 3274 37605665 MB
SLP-MEDIUM-DE_2W-DP2E_1M (active) 990 90378841 MB
SLP-MEDIUM-DA_2W-DP1A_1M (active) 816 20788679 MB
SLP-MEDIUM-DA_2W-DP1A_5W (inactive) 56 168606 MB
SLP-MEDIUM-DD_2W-DP1D_1M (active) 2503 12663760 MB
SLP-MEDIUM-DE_2W-DP1E_1M (active) 816 87799167 MB

I need to extract fields out of this data such as Total expected size, Name: (state) ,Number of copies,Size

Any method to extract it out, please let me know ?

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎07-17-2019 04:16 AM

hello there,
you can use | rex command as shown below, or use the field extractor, see link:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/ExtractfieldsinteractivelywithIFX
you might have some challenges with the <1 value that will need extra work, highlighted in the screenshot

| makeresults count=1
| eval data = "SLP-MEDIUM-DDX1_CATALOG_2W (inactive) 4 111676 MB;;;SLP-MEDIUM-DDX1_MSDP_CATALOG_2W (inactive) 17 1292279 MB;;;SLP-MEDIUM-DDXi_2W-DC2DXi_1M (inactive) 514 81442047 MB;;;SLP-MEDIUM-DDXi_2W-DC2DXi_1M_DC1 (inactive) 4746 525210649 MB;;;SLP-MEDIUM-DDXi_2W-DC2DXi_1MDC1 (inactive) 100 15054931 MB;;;SLP-MEDIUM-DDXi_3M-DC2DXi_1Y (inactive) 22 7815733 MB;;;SLP-MEDIUM-DDXi_3M-DC2DXi_1YDC1 (inactive) 9 1419550 MB;;;SLP-MEDIUM-DDX1_MSDP_CATALOG_2W (inactive) 6 <1 MB;;;SLP-MEDIUM-DDXi_2W-DC1DXi_1M (inactive) 74 8478513 MB;;;SLP-MEDIUM-DDXi_2W-DC1DXi_1MDC2 (inactive) 1196 105875404 MB;;;SLP-MEDIUM-DDXi_2W-DC1DXi_1MDC2 (inactive) 159 15961308 MB;;;SLP-MEDIUM-DDXi_3M-DC1DXi_1Y_DC2 (inactive) 50 3037526 MB;;;SLP-MEDIUM-DA_2W-DP2A_1M (active) 1170 25512602 MB;;;SLP-MEDIUM-DA_2W-DP2A_5W (inactive) 179 1939354 MB;;;SLP-MEDIUM-DD_2W-DP2D_1M (active) 3274 37605665 MB;;;SLP-MEDIUM-DE_2W-DP2E_1M (active) 990 90378841 MB;;;SLP-MEDIUM-DA_2W-DP1A_1M (active) 816 20788679 MB;;;SLP-MEDIUM-DA_2W-DP1A_5W (inactive) 56 168606 MB;;;SLP-MEDIUM-DD_2W-DP1D_1M (active) 2503 12663760 MB;;;SLP-MEDIUM-DE_2W-DP1E_1M (active) 816 87799167 MB"
| makemv delim=";;;" data 
| mvexpand data
| rename COMMENT as "above generates sample data, below is your rex"
| rex field=data "(?<Name>[^\s]+)\s\((?<state>[^\)]+)\)\s(?<number_of_copies>[^\s]+)\s(?<size>[^\s]+)\s(?<size_unit>[^\s]+)"

screenshot:
alt text

hope it helps

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...