topic Re: Extract New Fields in Splunk Search

Extract New Fields

bogdan_nicolesc — Thu, 18 Nov 2021 13:35:46 GMT

Hi there,

I'm trying so hard to do a new field in Splunk, but i don't know where i do "wrongs".

I would like to extract "Log Closed" or just "Log" from event, but when i do, i get all kind of other results other than what i want.

I tried with extract and require.

On the extract end i get a mixed variety of results, most of them with no relation to what i look for.

On the require end, when i select all correct lines, i cannot press Next button as it is grayed out. And i have no other clue what to do next.

My question is: What path should i take to get "Log Closed" or just "Log" from the event "2021-11-18 02:19:04.291 - Thread: 1 -> Log Closed" to make a new field. I would like to make a new Field as i have a "Log Started" and a "Log Closed".

I tried even too look at the regex, but i understand none of it, exept i know that \n is new line.

The regex is: ^[^>\n]*>\s+(?P<LogClosed>\w+\s+\w+)

Thank you.

Re: Extract New Fields

ITWhisperer — Thu, 18 Nov 2021 14:01:29 GMT

Use regex101.com to test the regex - it gives you a breakdown of what the regex means

In your case, if you simply want a field called LogClosed with the value "Log Closed" in and you are not interested in any other string, you could simply use this regex

(?P<LogClosed>Log Closed)

Re: Extract New Fields

bogdan_nicolesc — Thu, 18 Nov 2021 22:24:01 GMT

Thank you very much @ITWhisperer.

Why is not showing this when checking the regex, but instead is showing me some mambo jumbo?

Also, how do i add "Log Started" to this (?P<LogClosed>Log Closed).

I tried something like this (?P<Log>Log Started)|(Log Closed) but i get only the "Log Started".

What i want in the end is to make a pivot of time when "event" occurred and "Log Started" "Log Closed", and get a list of "Log Started" "Log Closed" listed by time ... if it makes sense to you what i want to describe.

So having 2 fields, one called "Log Started" and the other "Log Closed", i don't think is going to work. In my head i get a reference of windows logs where there are codes for various events. And that "code" have multiple numbers, but if i tell splunk what code should look for, works like a charm.

Anyway ... I hope i was clear enough to understand and i look forward for your reply.

Re: Extract New Fields

ITWhisperer — Fri, 19 Nov 2021 08:02:24 GMT

(?P<Log>Log (Started|Closed))

Re: Extract New Fields

bogdan_nicolesc — Fri, 19 Nov 2021 15:33:44 GMT

Hi @ITWhisperer ,

Where or how do you learn this stuff?

I mean, i know there is info out there somewhere, but how do you put things together, or how do they say connect the dots.

I'm asking because even if i tried to use regex101.com, was not that obvious choise to use this form.

Anyway ... Thank you so much.

Where do i send beer? :))

Re: Extract New Fields

ITWhisperer — Fri, 19 Nov 2021 15:51:48 GMT

regex101.com is a great resource - trial and error goes a long way for learning this stuff - you can probably find other resources too, https://www.regular-expressions.info/ has a pretty comprehensive tutorial for example.