Re: How to extract field values in a search and fo...

akash_akkis · ‎09-05-2014

Hi I am new to splunk I wanted to extract data from logs that have a particular string with a value and only return data the logs format I have searched in below format

   ID: 2999
   Payload: {"Audit":{"__queryElapsedTime":"267","__requestReceived":"2014.09.04 06:01:04.560
   Address: sdfjkjsdljsjdjjkljsd";k;lklsdk

I wanted to search ID , Payload , Address and list in table format

 ID            Address                 Payload
2999     sdjsdjj;'lkdfj;ksfdk        {"Audit":{"queryElapsedTime":"267","requestReceivePlease

help me I am stuck with prod issue.

tom_frotscher · ‎09-05-2014

Hi!

If the above is what your events look like you should be able to do the field extraction with an regular expression. Your search would then look something like:

...| rex "ID:\s+(?<ID>\d+)\s+Payload:\s+(?<Payload>.*)\s+Address:\s+(?<Address>.*)$" | table ID Payload Address

Greetings

Tom

akash_akkis · ‎09-05-2014

Hey Tom thanks for the answer but data is not populated in Table giving blank result

How to extract field values in a search and format in a table?

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!