Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a field between two patterns in a search for further stats processing?

atanasmitev
Path Finder
‎10-21-2014 09:52 PM

I have a _raw field with the following data in:

..............    "Stuff\":\"CAPITALS_AND_UNDERSCORES\",      ...........

The way I see it, I need to extract everything between "Stuff\":\" and ", patterns.

Can you help me extract the CAPITALS_AND... info from this line to a field, so that I further perform "stats" searches ?.
Splunk build is 6.0.1 if it matters.

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎10-22-2014 12:27 AM

Hi atanasmitev,

try something like this:

your base search here | rex "Stuff\\\"\:\\\"(?<myField>\w+)" | ...

This will get you a new field called myField and matches any word character (alphanumeric & underscore). If there are other characters then the provided example, simply adapt the regex.

small update: and if this fits your needs, add it as automatic field extraction - to do this follow the docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Knowledge/Addfieldsatsearchtime

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎10-22-2014 12:27 AM

Hi atanasmitev,

try something like this:

your base search here | rex "Stuff\\\"\:\\\"(?<myField>\w+)" | ...

This will get you a new field called myField and matches any word character (alphanumeric & underscore). If there are other characters then the provided example, simply adapt the regex.

small update: and if this fits your needs, add it as automatic field extraction - to do this follow the docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Knowledge/Addfieldsatsearchtime

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

atanasmitev
Path Finder
‎10-22-2014 07:25 AM

Works thanks 🙂 Finally . All I needed was to add another search option before the regexp, like so

my base search "Stuff" | rex field=thefield_to_rex "Stuff\\\"\:\\\"(?<myField>\w+)" | ...

It seems like the entire field to regexp followed the same "ID" : "Info" notation, so instead of extract all it did was print 🙂
The rex works like a charm, yet my search was wrong 😄

Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...