Hi , I want to extract field data and pass this data in different fields.
Data available in "Mark" field for a single event in splunk.
Mark = {"Time Zone/Geo Location","Distance_miles 600mi/Hour","over 1000km",.....}
The above is the data for 'Mark' field for an event. I want to extract data from Mark field and assign it to new fields "Mark1", "Mark2", "Mark3"
Mark1 = Time Zone/Geo Location
Mark2=Distance_miles 600mi/Hour
Mark3=over 1000km
Try this
| rex field=_raw "(?<mark1>I am C)"
mark1
is the field name and I am C
is what you want to extract.
Thanks Mayurr, query working fine.
If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.
try this run anywhere search
| makeresults
| eval data="Mark = {\"Time Zone/Geo Location\",\"Distance_miles 600mi/Hour\",\"over 1000km\"}"
| rex field=data "Mark\s=\s\{\"(?<mark1>[^\"]+)\",\"(?<mark2>[^\"]+)\",\"(?<mark3>[^\"]+)"
In your environment you should try
| rex field=_raw "Mark\s=\s\{\"(?<mark1>[^\"]+)\",\"(?<mark2>[^\"]+)\",\"(?<mark3>[^\"]+)"
This is only for first three fields but you can use similar approach for multiple fields as well.
let me know if this helps!
Hi Mayurr, Thanks for quick response, congrats as you are selected for splunk conf 2018.
Regarding the query, sorry, query did not work for me.
let me rephrase the question.
Mark field can have different data like
Mark={"I am P","I am Z","I am C","I am D",.....}
so now i want to take only "I am C" - not exactly the third place all the time from the field Mark and add it to a new field "Mark1". Please advise.
You'll need to explain a bit better then what exactly you want.
You say "not exactly the third place all the time", but what then defines which piece of the Mark field to put into Mark1?
Hi Frank, I want to take "I am C" data from Mark field and add it to Mark1.
Still a bit confused, but I'd say: create a regex that matches what you expect as "I am C" and assign that to Mark1.