Solved: Re: field extraction help

a212830 · ‎05-22-2012

Hi,

I'm a relative newbie (power noob?) who is having issues with extracting fields from a multi-line event. A sample is below. I need to parse out each one into field. I tried grabbing the beginning of the field to the end, but I'm not getting anything. Any ideas? -- \tTCPIP\s(?.+)%
(Not looking for each one - figured if I get one correct, the others would be similiar...)

StartEvent Tue May 22 15:25:33 EDT 2012 ***
CPU 0 17%
Object Store 10%
HTTP and FTP 2%
Access Logging 2%
Miscellaneous 1%
CPU 1 41%
TCPIP 18%
HTTP and FTP 16%
Policy evaluation - HTTP 5%
DNS service 1%

sdaniels · ‎05-22-2012

Assuming you have the line breaking right for the whole event...this works for me to extract the TCPIP %age:

Updated:

TCPIP\\s+(?<tcpip>.+)%

Not sure what you have at the beginning of yours with '--t'

View solution in original post

sdaniels · ‎05-22-2012

Assuming you have the line breaking right for the whole event...this works for me to extract the TCPIP %age:

Updated:

TCPIP\\s+(?<tcpip>.+)%

Not sure what you have at the beginning of yours with '--t'

a212830 · ‎05-29-2012

Thanks to you both. Just started reading my "Mastering Regular Expressions" book!

Ayn · ‎05-29-2012

TCPIP\s+(?<tcpip>\S+)%

a212830 · ‎05-29-2012

this grabs all the whitespace that is between TCPIP and the end value. Is there anyway to strip out that whitespace? I want to go from TCPIP to the %, and grab the value just before the %.

field extraction help

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team