https://community.splunk.com/t5/Splunk-Search/Extract-fields-from-antivirus-summary/m-p/187842#M187057 <P>I've been trying to use the field extractor to get some useful data from my Sophos Anti-virus scan log. Unfortunately, it doesn't seem to work. I also can't figure out how I would break the event up using transforms.conf.</P> <P>The log contains the following summary when I search it in Splunk (it has it's own soucetype [SAV-too_small]).</P> <PRE><CODE>20140604 042046 Scan 'Daily Scan 5am' completed. 20140604 042046 Summary of results for scan 'Daily Scan 5am': Items scanned: 198971 Errors: 0 Items quarantined: 0 Items dealt with: 0 </CODE></PRE> <P>What I want is to get some kind of table or chart where it splits up "errors" and "items" as separate fields.</P> <P>Any help would be much appreciated<BR /> Thanks,<BR /> thommck</P> Wed, 04 Jun 2014 11:24:31 GMT thommck 2014-06-04T11:24:31Z https://community.splunk.com/t5/Splunk-Search/Extract-fields-from-antivirus-summary/m-p/187842#M187057 <P>I've been trying to use the field extractor to get some useful data from my Sophos Anti-virus scan log. Unfortunately, it doesn't seem to work. I also can't figure out how I would break the event up using transforms.conf.</P> <P>The log contains the following summary when I search it in Splunk (it has it's own soucetype [SAV-too_small]).</P> <PRE><CODE>20140604 042046 Scan 'Daily Scan 5am' completed. 20140604 042046 Summary of results for scan 'Daily Scan 5am': Items scanned: 198971 Errors: 0 Items quarantined: 0 Items dealt with: 0 </CODE></PRE> <P>What I want is to get some kind of table or chart where it splits up "errors" and "items" as separate fields.</P> <P>Any help would be much appreciated<BR /> Thanks,<BR /> thommck</P> Wed, 04 Jun 2014 11:24:31 GMT https://community.splunk.com/t5/Splunk-Search/Extract-fields-from-antivirus-summary/m-p/187842#M187057 thommck 2014-06-04T11:24:31Z https://community.splunk.com/t5/Splunk-Search/Extract-fields-from-antivirus-summary/m-p/187843#M187058 <P>Hi thommck,</P> <P>based on your provided data, use something like this:</P> <PRE><CODE> your base search to get the events needed | rex field=_raw "Items\sscanned:\s(?&lt;items&gt;.+)" | rex field=_raw "Errors:\s(?&lt;errors&gt;.+) | table items errors </CODE></PRE> <P>hope this helps ...</P> <P>cheers, MuS</P> Wed, 04 Jun 2014 11:35:05 GMT https://community.splunk.com/t5/Splunk-Search/Extract-fields-from-antivirus-summary/m-p/187843#M187058 MuS 2014-06-04T11:35:05Z https://community.splunk.com/t5/Splunk-Search/Extract-fields-from-antivirus-summary/m-p/187844#M187059 <P>Based on your sample data it look like you might also benefit from using the mvexpand command. <BR /> One of the examples on the documentation page for mvexpand uses rex, like has already been suggested, but also allows you to have other data (e.g., timestamp) from the original event applied. </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/Mvexpand">http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/Mvexpand</A></P> Wed, 04 Jun 2014 12:24:17 GMT https://community.splunk.com/t5/Splunk-Search/Extract-fields-from-antivirus-summary/m-p/187844#M187059 alterdego 2014-06-04T12:24:17Z https://community.splunk.com/t5/Splunk-Search/Extract-fields-from-antivirus-summary/m-p/187845#M187060 <P>Thanks, this works but is there a way to make it always index the data this way?</P> Wed, 04 Jun 2014 13:49:08 GMT https://community.splunk.com/t5/Splunk-Search/Extract-fields-from-antivirus-summary/m-p/187845#M187060 thommck 2014-06-04T13:49:08Z https://community.splunk.com/t5/Splunk-Search/Extract-fields-from-antivirus-summary/m-p/187846#M187061 <P>I'll look into this, thanks</P> Wed, 04 Jun 2014 13:49:23 GMT https://community.splunk.com/t5/Splunk-Search/Extract-fields-from-antivirus-summary/m-p/187846#M187061 thommck 2014-06-04T13:49:23Z https://community.splunk.com/t5/Splunk-Search/Extract-fields-from-antivirus-summary/m-p/187847#M187062 <P>Sure, read the docs about <A href="http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles">field extraction using conf files</A>. This will extract the fields at search time once configured. If you prefer to have it extracted at index time, read the docs about <A href="http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Aboutindexedfieldextraction">indexed field extraction</A>.</P> <P>cheers, MuS</P> <P>pls, mark this as answered by accepting the answer - thx</P> Wed, 04 Jun 2014 15:14:21 GMT https://community.splunk.com/t5/Splunk-Search/Extract-fields-from-antivirus-summary/m-p/187847#M187062 MuS 2014-06-04T15:14:21Z