splunk query to extract multiple fields from single field

Question

I am new to splunk. My requirement is to display below grid.

Method                       Execution Time
IndexController.printHello     519 

My Event String is below

{ "event" : "test", "message" : "OUT: IndexController.printHello - time taken: 519 ms"}

I tried with below approach

index = "myspluk" | table message | field method, executiontime

But it display empty message. I created field extractor but its not working

I want to extract method and execution time from

"OUT: IndexController.printHello - time taken: 519 ms"

Any help will be greatly appreciated!!!

Answer 1

@Mads Hansen's answer will most likely work, but experience shows multiple individual rex statements to be safer (ie, they allow for corner cases / data in different sequences, etc):

| rex field=message "OUT:\s+(?<method>\S+)"
| rex field=message "taken:\s+(?<executiontime>\d+)"

Speed for sequential regular expressions - 9 & 23 steps, respectively

If you want to use an all-at-once regular expression, because you know the data is always in the same order, this one is simpler and faster (28 vs 82 steps) than Mads Hansen's:

| rex field=message "OUT:\s+(?<method>\S+).+?taken:\s+(?<executiontime>\d+)"

Lastly, if you know the order of the message field is always the same, you could do this, making a multivalue field, and separate it after (I combined two eval statements into one line, since they're not dependent upon each other):

| rex field=message max_match=0 ":\s+(?<mymvfield>\S+)
| eval method=mvindex(mymvfield,0), executionTime=mvindex(mymvfield,-1)

Answer 2

I would extract what you need with rex and some regex capture groups, from either the _raw or the message field:

index = "myspluk" 
| rex field=_raw "OUT: (?<method>.*?) - time taken: (?<executiontime>\d+) ms" 
| table method executiontime