extract

It's a pretty popular search command and it is used in all sorts of situations. Below are some really cool searches that use extract along with other search commands.

Extract SQL Insert Params

sourcetype=stream:mysql* query="insert into*" | rex "insert into \S* \((?<aaa>[^)]+)\) values \((?<bbb>[^)]+)\)" | rex mode=sed field=bbb "s/\\\\\"//g" | makemv aaa delim="," | makemv bbb delim="," | eval a_kvfield = mvzip(aaa, bbb) | extract jam_kv_extract | timechart span=1s per_second(m_value) by m_name

purpose:

extracts fields from a SQL Insert statement so that the values inserted into the database can be manipulated via splunk searches. In this case, it is used in conjunction with splunk stream & mysql, but should work with any source / database technology.

requirements:

comments: