- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract a Value from a Field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a situation where I have a defined field that has a large amount of data but I am interested in only one part of that field Status : 2
Apologies as I am new to Splunk and I am lower than elementary level on this, but how would I extract this value from the field? If rex, how would I set this query?
= (garbage) Status : 2 (garbage)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@joshy50 ,
Try
"your search"
|rex field=<your fieldname> "(?<status>Status : \d+)"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are possible values for status? Are they just digits?
A helpful way to approach this is to identify what characters are NOT going to be in your status. For example, if status can contain anything and is always followed by a semicolon, then you can construct a class that captures everything except a semicolon.
| rex "Status\s:\s(?<status>[^;]+);"
Sometimes this is easier than trying to predict all possible legal values, and can help in cases where something unexpected is found (developer says "only digits" but you find a pound sign and become a hero).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I believe you want to extract the value of the status field (i.e status = 2 then you want to extract 2 as the value of the status field)
- If you want to go for regex expression. your expression would look like ''Status'\W+(?\d+)'. Now that you have the regex expression. you can go to your splunk UI and there in the fields sidebar, scroll down you will see a '+' sign with "extract new fields">> click on it.
- You will see the option as "I prefer writing my own regular expression" click on that. And put the above specified regex expression there.
- preview your extracted field
- click save
And then you would get an extracted field as "status" in the fields side bar.
To know more about the regex expressions you can practice it here ----> "https://regex101.com/"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@joshy50 ,
Try
"your search"
|rex field=<your fieldname> "(?<status>Status : \d+)"
What goes around comes around. If it helps, hit it with Karma 🙂
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
