https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-create-an-event-type-field-within-a-source/m-p/233737#M45558 <P>Hello @jorell, could you please more info? What i understand is you are looking to create a filed that will hold the INFO,ERROR and WARN values? Is that what you are looking for? </P> <P>You can extract fields always using regular expressions and eval: <A href="https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Extractfieldswithsearchcommands">https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Extractfieldswithsearchcommands</A>.</P> <P>Just to give you an idea, i extracted the Value INFO and assigned it to the Key = Level(Log Level)</P> <P>|gentimes start=-1|eval Event="2016-06-05T19:55:10,144 INFO LoadProperties:225 - LoadProperty - Initial fetch for properties is successfu"|rex field=Event "\s(?P\w+)\s"</P> <P>Please provide more info with an example if this is not even close to what you're looking for.</P> <P>Hope this helps!</P> <P>Thanks,<BR /> Raghav</P> Fri, 19 Aug 2016 19:50:36 GMT Raghav2384 2016-08-19T19:50:36Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-create-an-event-type-field-within-a-source/m-p/233736#M45557 <P>Hi, </P> <P>I was wondering if it was possible to create a field within the source type that would show the event type.</P> <P>Here is a record from my log:</P> <PRE><CODE>2016-06-05T19:55:10,144 INFO LoadProperties:225 - LoadProperty - Initial fetch for properties is successful </CODE></PRE> <P>I would like to have INFO (and other types, like ERROR, WARN etc) as their own field within the source type. How can I do this? I'm new to Splunk and am currently using Splunk Enterprise 6.4.</P> Fri, 19 Aug 2016 19:24:20 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-create-an-event-type-field-within-a-source/m-p/233736#M45557 jorell 2016-08-19T19:24:20Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-create-an-event-type-field-within-a-source/m-p/233737#M45558 <P>Hello @jorell, could you please more info? What i understand is you are looking to create a filed that will hold the INFO,ERROR and WARN values? Is that what you are looking for? </P> <P>You can extract fields always using regular expressions and eval: <A href="https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Extractfieldswithsearchcommands">https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Extractfieldswithsearchcommands</A>.</P> <P>Just to give you an idea, i extracted the Value INFO and assigned it to the Key = Level(Log Level)</P> <P>|gentimes start=-1|eval Event="2016-06-05T19:55:10,144 INFO LoadProperties:225 - LoadProperty - Initial fetch for properties is successfu"|rex field=Event "\s(?P\w+)\s"</P> <P>Please provide more info with an example if this is not even close to what you're looking for.</P> <P>Hope this helps!</P> <P>Thanks,<BR /> Raghav</P> Fri, 19 Aug 2016 19:50:36 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-create-an-event-type-field-within-a-source/m-p/233737#M45558 Raghav2384 2016-08-19T19:50:36Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-create-an-event-type-field-within-a-source/m-p/233738#M45559 <P>Use the field extractions page to extract fields by sourcetype. Here's docs on that. <A href="http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Managesearch-timefieldextractions">http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Managesearch-timefieldextractions</A> </P> <P>Once in IFX, chose to write your own regular expression and enter this. Make sure you set the right permissions, after creating the field.</P> <PRE><CODE>,\d+\s*(?&lt;type&gt;\w+) </CODE></PRE> <P>*<STRONG><EM>OR</EM></STRONG>*</P> <PRE><CODE>(?&lt;type&gt;INFO|WARN|DEBUG|ERROR) </CODE></PRE> Fri, 19 Aug 2016 19:51:36 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-create-an-event-type-field-within-a-source/m-p/233738#M45559 sundareshr 2016-08-19T19:51:36Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-create-an-event-type-field-within-a-source/m-p/233739#M45560 <P>Each Log has a type of warning it is after the timestamp, as you've seen. I just want to be able to search for anything that is of the ERROR type, or of the WARN time. So, anyway I can do that will be fine. There is a comma, a number than the log type, which in my example is INFO. </P> Fri, 19 Aug 2016 20:02:43 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-create-an-event-type-field-within-a-source/m-p/233739#M45560 jorell 2016-08-19T20:02:43Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-create-an-event-type-field-within-a-source/m-p/233740#M45561 <P>Thanks for the speedy reply, btw</P> Fri, 19 Aug 2016 20:02:59 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-create-an-event-type-field-within-a-source/m-p/233740#M45561 jorell 2016-08-19T20:02:59Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-create-an-event-type-field-within-a-source/m-p/233741#M45562 <P>np <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Please provide sample events with all possible patterns and we will help you with the dream extraction <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Thanks,<BR /> Raghav</P> Fri, 19 Aug 2016 20:48:04 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-create-an-event-type-field-within-a-source/m-p/233741#M45562 Raghav2384 2016-08-19T20:48:04Z