Solved: How to display the entire string when it has somet...

servlette · ‎02-11-2015

I am logging something like: Foo=123|456
When I query Splunk to get me Foo, it only prints 123 and it ignores |456.

I don't have anything like Foo="123|456" and what I have is: Foo=123|456

Please let me know how I get the entire value of Foo.

I need to get the entire value of it and to parse it to get 456.

somesoni2 · ‎02-11-2015

Give this try (lenght independent)

your base search | rex "Foo=(?<Foo>\w+\|\w+)"

Once satisfied, you can save this extraction in props.conf on search head to improve performance.

View solution in original post

somesoni2 · ‎02-11-2015

Give this try (lenght independent)

your base search | rex "Foo=(?<Foo>\w+\|\w+)"

Once satisfied, you can save this extraction in props.conf on search head to improve performance.

servlette · ‎02-11-2015

thank you 🙂

aljohnson_splun · ‎02-11-2015

Create a field extraction with the sparkly new field extractor. See a guide here.

You could also use rex to do a search time extraction:

| rex "Foo=(?<my_one_two_three>\d{3})\|(?<my_four_five_six>\d{3})"

servlette · ‎02-11-2015

Let me try... Thanks...

servlette · ‎02-11-2015

By the way, for illustration I used 123|456 and the length of 123 or 456 is not fixed. They can be of any length. The only thing I am interested is the values separated by "|".

How to display the entire string when it has something like Foo=123|456 ?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio