Splunk Practice Exercise 14: Extract Fields Using rex II
Introduction
This practice exercise focuses on extracting the 'other' field from the _raw field using the rex command in Splunk.
Step 1: Access Splunk Web
-
Open your web browser and navigate to Splunk Web:
http://<your server ip>:8000 -
Log in using your credentials.
Step 2: Run the Query
-
In the Splunk Web interface, go to the Search & Reporting app.
-
Run the following query to extract the 'other' field using
_rawandrex:index=tutorial other=* | rex field=_raw "(?<OtherField>\d{3})\s*$"This query uses the rex command to capture the regex content within double quotes and names the captured content as OtherField. In this case, the
otherfields is the last 3 string characters of the events, so we'll take advantage of that to extract the field. -
Verify the new field creation under
OtherFieldlike below.
The values should be identical to that of the original
otherfield.
Step 3: Verify results in table form
-
In this step we can refer to the newly created field to be piped onto the query. In the search bar, enter the following search query:
index=tutorial other=* | rex field=_raw "(?<OtherField>\d{3})\s*$" | stats count by other, OtherField -
Output should have 2 columns with identical values like so:
Conclusion
Congratulations! You have successfully completed the practice exercise, extracting the 'other' field from the _raw field using the rex command in Splunk. This skill is valuable for extracting specific information from the raw event data. Continue to explore and experiment with different extraction scenarios to enhance your Splunk skills.