topic Re: different formats - same field in Reporting

different formats - same field

a212830 — Thu, 13 Feb 2014 01:53:06 GMT

Hi,

I have a syslog feed from two servers, that use a different format. The first feed has a nice key-value pair, and the field (user) is automatically created by Splunk. The second one has the field value, but I need to create the field (which I can do). How can I report on both of them as the "user" field and get a count of the number of times for each value?

Re: different formats - same field

asimagu — Thu, 13 Feb 2014 02:06:01 GMT

Just create your field extraction as usual. If you require any help with that we need to see a sample from your log. You can create several conditions for field extractions so two different formats is not a problem

about the stat you want: stats count by user

Edit:
Try this field extraction:

\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\s\-\s\w+\s\-\s\[(\d+\.){3}\d+\]\s(?P<user>[^\(]+)\(

Re: different formats - same field

a212830 — Thu, 13 Feb 2014 02:23:51 GMT

OK. Thanks.

So, the first one is pre-populated by Splunk, as the message has key-value pairs:

2014-02-12T20:56:39.122238-05:00 myhost Juniper: id=firewall time="2014-02-12 20:56:39" pri=6 fw=1.2.3.4 vpn=ive user=a123456 realm="Siteminder"

The second one does not have key value pairs:

2014-02-12T17:28:38.796343-05:00 myhost1 Juniper: 2014-02-12 17:28:39 - ive - [9.8.7.6] A666666(Siteminder)[TSO - Web Access (LAN)] - WebRequest completed

So, I need both the a123456 and the A66666 values.

Re: different formats - same field

asimagu — Thu, 13 Feb 2014 02:32:14 GMT

just edited the answer above, try that and let me know how it goes 😉

Re: different formats - same field

a212830 — Thu, 13 Feb 2014 02:33:19 GMT

That would go in the search?

Re: different formats - same field

asimagu — Thu, 13 Feb 2014 02:39:55 GMT

sorry, I assumed you knew how to create a field extraction. There are two ways: using the Manager or doing an inline extraction

Inline extraction, you need to pipe this in the search:
| rex field=_raw "<the regular expression from above"

Using the manager:
Create field extractions -> New Extraction -> Complete the form with the sourcetype and the regex from above

Re: different formats - same field

a212830 — Thu, 13 Feb 2014 03:22:25 GMT

Oooooooh, never done that one. Thanks! It works! Spend too much time on "admining" the systems and not enough time doing searches!

Re: different formats - same field

asimagu — Thu, 13 Feb 2014 06:11:41 GMT

glad it worked 😉 could you validate the answer then?