Field Extractions During Search Time

anandhalagaras1 — Wed, 30 Sep 2020 04:57:50 GMT

Hi Team,

I want to do a field extraction during the search time itself so i want the following fields to be extracted from the below logs.

Jan 8 12:52:29 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 session status forced disabled.
Jan 8 10:44:23 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 monitor status up. [ /Common/https_xxxx: up ] [ was down for xxhrs:Xxmins:XXsec ]
Jan 8 10:44:22 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 session status enabled.
Jan 8 10:30:42 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 monitor status forced down. [ /Common/https_xxxx: up ] [ was forced down for Xxhrs:Xxmins:Xsec ]
Jan 8 10:24:21 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 session status forced disabled.

xyz.abc.com as "hostname"
hostinfo as "client"

The below information as "remarks"
session status forced disabled
monitor status up
session status enabled
monitor status forced down
session status forced disabled

So how to do a field extraction in the search time itself if yes can you kidnly help with the query?

Re: Field Extractions During Search Time

jpolvino — Thu, 16 Apr 2020 12:21:13 GMT

Here is one way, with some flexibility built in for the error codes:

|makeresults
 | eval _raw="Jan 8 12:52:29 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 session status forced disabled.
Jan 8 10:44:23 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 monitor status up. [ /Common/https_xxxx: up ] [ was down for xxhrs:Xxmins:XXsec ]
Jan 8 10:44:22 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 session status enabled.
Jan 8 10:30:42 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 monitor status forced down. [ /Common/https_xxxx: up ] [ was forced down for Xxhrs:Xxmins:Xsec ]
Jan 8 10:24:21 abc notice def[xxxx]: xxxxxxxx:x: Pool /Common/xyz.abc.com443 member /Common/hostinfo_portal:443 session status forced disabled."
 | multikv forceheader=1 | fields _raw
 | rex "Pool\s\/\w+\/(?<hostname>[\w.]+)\d{3}\smember\s\/\w+\/(?<client>[^_]+).*? (?<remarks>.*?)\."
 | table hostname client remarks

topic Re: Field Extractions During Search Time in Splunk Search

Field Extractions During Search Time

Re: Field Extractions During Search Time