Refine your search:

Extrating fileds based on matching values from log

0

Hi Want to extract specific fields from a log file. Tried using rex but failed.. need help

  • Want to extract matching [PID: <value> ] and [Thd: <value>]
  • export it to csv file or in any excel format

Log file EG:

----------------------------------------
03-09-2012 12:04:52.824 Information  C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile]  [PID: 296]  [Thd: 5400]  StockRoomController DisplayScanItem 1234 12345678 33333 00000000-0000-0000-0000-000000000000 Controller 39634671 39634703 32
----------------------------------------
----------------------------------------
03-09-2012 12:04:53.262 Information  C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile]  [PID: 296]  [Thd: 5676]  BCK001 UI 1 2 00000000-0000-0000-0000-000000000000 RenderingTime 1331316293215 1331316293246 31
----------------------------------------
----------------------------------------
03-09-2012 12:05:06.855 Information  C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile]  [PID: 296]  [Thd: 5036]  BCK001 UI 1 2 ffe7d7cb-c7ae-4056-8393-6e237b7e120b SubmitTime 0 1331316306839 0
----------------------------------------
----------------------------------------
03-09-2012 12:05:08.230 Information  C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile]  [PID: 296]  [Thd: 5676]  StockroomDomainManager ReadLoc 1234 12345678 33333 ffe7d7cb-c7ae-4056-8393-6e237b7e120b DataBase 39649906 39650687 781
----------------------------------------
----------------------------------------
03-09-2012 12:05:08.230 Information  C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile]  [PID: 296]  [Thd: 5676]  StockroomDomainManager ReadStkrmLocsByProdId_FG 1234 12345678 33333 ffe7d7cb-c7ae-4056-8393-6e237b7e120b DataBase 39649906 39650687 781
----------------------------------------
----------------------------------------
03-09-2012 12:05:08.230 Information  C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile]  [PID: 296]  [Thd: 5676]  BackstockApplication GetStkrmLocsByProdId_FG 1234 12345678 33333 ffe7d7cb-c7ae-4056-8393-6e237b7e120b Controller 39649906 39650687 781
----------------------------------------
----------------------------------------
03-09-2012 12:05:08.230 Information  C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe [App: WebMobile]  [PID: 296]  [Thd: 5676]  StockRoomController DisplayScanLocation 1234 12345678 33333 ffe7d7cb-c7ae-4056-8393-6e237b7e120b Controller 39650687 39650687 0
----------------------------------------
----------------------------------------

asked 26 Mar '12, 02:30

tonan's gravatar image

tonan
161
accept rate: 100%

One Answer:
oldestnewestmost voted
0

What's not working with rex? This should work:

... | rex "\[PID: (?<pid>\d+)\]\s+\[Thd: (?<thd>\d+)\]"
link

answered 26 Mar '12, 02:59

Ayn's gravatar image

Ayn
24.8k3717
accept rate: 41%

Thankyou Ayn,

Is there any way to export the values out of the log files for the above two mentioned fields.

Like the logs have a "PID" and "Thd" value, can we use splunk to filter out that value and then export it to a say csv files or an excel sheet.

--update I can however select the fields i wish to in the output by selecting the fields under "selected fields" but i am not able to export these values in an excel sheet or say a csv

(26 Mar '12, 04:08) tonan

... | rex "\[PID: (?<pid>\d+)\]\s+\[Thd: (?<thd>\d+)\]" | fields pid thd | outputcsv exportedfields

(26 Mar '12, 04:10) Ayn
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×96
×52
×20

Asked: 26 Mar '12, 02:30

Seen: 609 times

Last updated: 26 Mar '12, 04:11

Related questions

How to identify uniqe field value from a log files

Getting logs out of txt files converted from wireshark captures pcap file

Relation between search and splunk internal log files.

Monitoring log files reused in a ring?

Need help to extract from from BackupExec Backup Log

Problem of not showing all indexers' information in splunk_instances_info.csv

Log rotation for compressed files

What is the frequency with which log files are read?

How to extract all matching values from an event using regex

Copyright © 2005-2012 Splunk Inc. All rights reserved.