Ram
Reputation: 31
Splunk query to extract fields from log data
My Splunk log some thing like [user name] [traceid] ldap authentication { “status” : “success” , “username”: “123”} MULTIEXCEPTION some text….
I am trying out for Splunk query that gives result in tabular format.. any query suggestions?
Status username
Success 123
Fail 234
Upvotes: 0
Views: 381
Answers (1)
RichG
Reputation: 9926
As @PM77-1 wrote, use the rex command to extract fields from events. Then use the (surprise!) table command to put the results in tabular format.
index=foo
``` Extract the status field ```
``` Triple escapes are needed because of multiple layers of processing ```
| rex "status\\\"\s*:\s*\\\"(?<status>[^\\\"]+)"
``` Extract the username field using a separate command for order-independence ```
| rex "username\\\"\s*:\s*\\\"(?<username>[^\\\"]+)"
| table status username
Upvotes: 0
Related Questions
- Form a results table view from splunk multiple logs
- Splunk search query to create a table from JSON search result
- Using Splunk - extract fields from xml data in a log file using xpath
- Extract data from splunk
- splunk query to extract multiple fields from single field
- Extract some fields from a part json part text log in Splunk
- Splunk query reference field in joined data
- How to build Splunk search query?
- Splunk query based on the results of another query
- Splunk get combined result from 2 events