https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-my-log-when-every-record-in-the-log/m-p/360304#M92950 <P>Hi varunchhabra,<BR /> if your logs have a limited number of types you can build one extraction for each situation (FunctionCalled1, FunctionCalled2, FunctionCalledn) and then configure a calculated field as a coalesce field or an eval command<BR /> | eval FunctionCalled=coalesce(FunctionCalled1, FunctionCalled2,...,FunctionCalledn).</P> <P>Bye.<BR /> Giuseppe</P> Wed, 03 May 2017 13:24:02 GMT gcusello 2017-05-03T13:24:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-my-log-when-every-record-in-the-log/m-p/360302#M92948 <P>I have a log file that contains time stamped events. The type of action done is defined by the string parameter like : FunctionCalled.<BR /> I want to extract the action field and use it. But the problem is that the keywords are not following any pattern. It could be like:</P> <P>TimeStamp1 FunctionCalled<BR /> TimeStamp2 ABC::CDE&lt;&gt;FunctionCalledAgain</P> <P>In such case, the neither the regex nor delimited pattern helping me to get the field.</P> <P>On the side note, Is it necessary for the log to be ordered so as to apply generic statistical functions?</P> <P>Plz help.</P> Wed, 03 May 2017 12:53:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-my-log-when-every-record-in-the-log/m-p/360302#M92948 varunchhabra 2017-05-03T12:53:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-my-log-when-every-record-in-the-log/m-p/360303#M92949 <P>How many of above patterns may exist? If there is no way for you to come up with regular expression, </P> <P><STRONG>Option 1</STRONG><BR /> You create separate Field Extractions for FunctionalCalled say FunctionalCalled1 and FunctionalCalled2 etc and then use the following in your query:</P> <PRE><CODE>&lt;YourBaseSearch&gt; FunctionalCalled1="FunctionalCalled" OR FunctionalCalled2="FunctionalCalled" </CODE></PRE> <P><STRONG>Option 2</STRONG><BR /> If you do not want to perform field extraction then in base search you can use <CODE>"FunctionalCalled"</CODE> and in your subsequent pipe you can use <CODE>searchmatch</CODE> to create your own field with <STRONG>eval</STRONG></P> <PRE><CODE>| eval FunctionalCalled1=case(searchmatch("FunctionalCalled"),"FunctionalCalled",true(),"Other") </CODE></PRE> <P>Ideally, interesting fields should be a key value pair, you should also read Logging best practices in order to better utilize Splunk's capabilities: <A href="http://dev.splunk.com/view/logging/SP-CAAAFCK">http://dev.splunk.com/view/logging/SP-CAAAFCK</A></P> Wed, 03 May 2017 13:16:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-my-log-when-every-record-in-the-log/m-p/360303#M92949 niketn 2017-05-03T13:16:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-my-log-when-every-record-in-the-log/m-p/360304#M92950 <P>Hi varunchhabra,<BR /> if your logs have a limited number of types you can build one extraction for each situation (FunctionCalled1, FunctionCalled2, FunctionCalledn) and then configure a calculated field as a coalesce field or an eval command<BR /> | eval FunctionCalled=coalesce(FunctionCalled1, FunctionCalled2,...,FunctionCalledn).</P> <P>Bye.<BR /> Giuseppe</P> Wed, 03 May 2017 13:24:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-my-log-when-every-record-in-the-log/m-p/360304#M92950 gcusello 2017-05-03T13:24:02Z