Re: How to extract particular data from a file and...

Arminder_Bhalla · ‎10-16-2015

Hi

I have a flat file with the following data which is ingested in Splunk:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ABC Report

Date:2015-10-01

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FileName: xyz.123

File Processing Start Time:20151001 07:12:14

This file contains the following payments:

Mkt Bk Sender Id Cntry Curr Total Value Total Records
001 0700 2489 124 124 11443 7
001 0700 2685 124 124 39559 2
001 0700 2487 124 124 13408 76
001 0700 2891 124 124 76825 5
001 0700 2086 124 124 67606 5
001 0700 2083 124 124 39275 17
001 0700 2588 124 124 21101 7
CAN.EM.0072.0006
CAN.EM.0072.0007

File Processing End Time:20151001 07:12:14

I have to extract the highlighted data from the file and then assign it to different fields.

Can anyone help me on this?

jmallorquin · ‎10-16-2015

From the search you can use this regex:

| rex "(?\d+)\s+(?\d+)\s+(?\d+)\s+(?\d+)\s+(?\d+)\s+(?\d+)\s+(?\d+)"

If you want to make it persist, you can modified the props.conf

Another way could be to use transforms.conf with delims = " "
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Createandmaintainsearch-timefieldextract...

asimagu · ‎10-16-2015

I think this is what you need : multikv command

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/multikv

How to extract particular data from a file and then define fields from it?

FileName: xyz.123

File Processing End Time:20151001 07:12:14

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!