Solved: Re: extracting the field

splunkpoornima · ‎11-07-2012

hi all

please help me in extracting the feild called Failed from the following events

Mon Jun 25 11:13:41 CDT 2012,UpdateDealStartPricesTask,Status : Completed with errors

Total chunks = 5

Successful chunks = 3

Failed chunks = 2

i used the extract fields -->i typed the failed there and i generate but its shows me

No regex could be learned. Try providing different examples or restriction.

dmaislin_splunk · ‎11-07-2012

Just create or modify the field extraction to be:

^Failed chunks\s=\s(?\d+)

View solution in original post

dmaislin_splunk · ‎11-07-2012

Just create or modify the field extraction to be:

^Failed chunks\s=\s(?\d+)

Rob · ‎11-07-2012

Just to expand what @dmaislin_splunk is saying. You can use the rex command with the regex above like this:

|rex field=_raw "^Failed\schunks\s=\s(?<failedchunks>\d+)"

smolcj · ‎11-07-2012

you should narrow your search , so that you will get the source file with your field to be extracted. the examples you are providing should be there in the right side.

extracting the field

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases