-1

I need to extract the whole value from a field

I have tried different Regex patterns and it did not work and was wondering if there was a simple way to do this.

Here's an example Splunk Event 

HelloSample=My tool is too picky and has a hard time

Here's my splunk query

fields  HelloSample

This returns

My

I want it to return the whole string like below

My tool is too picky and has a hard time
Prozac
  • 1
  • 1
    *"I have tried different Regex patterns and it did not work".* Do you mind sharing those patterns with us, along with actual and expected behaviors? – CinCout Feb 07 '19 at 06:59
  • Share some sample data, please - especially *where* in the event your expected text is – warren Nov 04 '20 at 12:59

2 Answers2

0

There are answers out there that involve doing some pretty intense regexes. But assuming this is a one-off query, I think that you can probably get away with a simple (albeit less efficient) query like the following:

index=myIndex "My tool is too picky and has a hard time"

The use of quotation marks in the above example query will perform a text-based search for your needed string. This query won't be as efficient as a field-only search would be, but it should get the job done.

entpnerd
  • 8,063
  • 5
  • 36
  • 60
  • Actually that is not the string I'm searching for. I want to extract all the value for the field HelloSample. It is not always the same string. It is different all the time. – Prozac Feb 07 '19 at 07:47
0

If you don't have the ability to modify your props.conf to extract the field correctly, this rex will pull it (presuming it's at the end of the event):

index=ndx sourcetype=srctp
| rex field=_raw "HelloSample\=(?<HelloSample>.+)"

If your test is somewhere else in the event, we'll need to know what kind of delimeters exist to refine the above regex

warren
  • 28,486
  • 19
  • 80
  • 115