topic Re: Auto Filed value extraction in Splunk Search

How to achieve auto filed value extraction?

pm2012 — Tue, 18 Apr 2023 07:54:05 GMT

Hi Team,

I have to do auto field extraction of the fields coming inside the payload under <mTypes>....</mTypes> to the corresponding values which are coming under <Results>........</Results>

<mTypes>field_1 field_2 field_3 field_4</mTypes>

some random paylod <Results>12 12 9 3</Results>

Kindly suggest, thanks in advance

Re: Auto Filed value extraction

gcusello — Mon, 17 Apr 2023 07:05:11 GMT

Hi @pm2012,

if you're sure to have always 4 fields, separated by a space, you could use a regex like the following:

| rex "\<Results\>(?<field1>\d+)\s+(?<field2>\d+)\s+(?<field3>\d+)\s+(?<field4>\d+)\<\/Results\>"

Ciao.

Giuseppe

Re: Auto Filed value extraction

pm2012 — Mon, 17 Apr 2023 07:18:26 GMT

Thanks @gcusello for the quick help,

Actually fields are not unique and even their order is also not unique, like few logs having 4 fields and other more than that, also sometime field_1 at first place and sometime it is on different place.

Re: Auto Filed value extraction

gcusello — Mon, 17 Apr 2023 07:29:59 GMT

Hi @pm2012,

it's really difficoult to extract a fild if there isn't any rule in fields definition!

Can you extrapolate a rule?

Otherwise, you can only extract the field between the "result" tag and make a search inside this field.

Ciao.

Giuseppe

Re: Auto Filed value extraction

pm2012 — Thu, 20 Apr 2023 07:13:52 GMT

Hi @gcusello

The pattern is same, i mean there are fields at the right places however in different order and their respective values. Any clue how to make this auto extraction done?

Re: Auto Filed value extraction

gcusello — Thu, 20 Apr 2023 08:17:32 GMT

Hi @pm2012,

as I said a different order isn't the same, for this readon I asked a rule.

Without a rule it's difficoult to create a regex for fields extraction.

Ciao.

giuseppe