https://community.splunk.com/t5/Splunk-Search/How-to-customize-raw-data-into-fields-using-regex-before/m-p/159240#M44930 <UL> <LI>A more permanent solution would be using <STRONG>transforms.conf</STRONG> and <STRONG>props.conf</STRONG>. Docs <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles">here</A>. </LI> <LI>or use the field extractor ? Docs <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/ExtractfieldsinteractivelywithIFX">here</A></LI> <LI>or maybe you just love that web gui ? You can manage extractions there as well. <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Managesearch-timefieldextractions">Here</A></LI> </UL> <HR /> <P>Example: </P> <P><STRONG>Add a new error code field</STRONG><BR /> This example shows how to create a new "error code" field by configuring a field extraction in props.conf. The field can be identified by the occurrence of device_id= followed by a word within brackets and a text string terminating with a colon. The field should be extracted from events related to the testlog source type.</P> <P>In props.conf, add:</P> <PRE><CODE>[testlog] EXTRACT-errors = device_id=\[w+\](?&lt;err_code&gt;[^:]+) </CODE></PRE> <P>Or get jiggy with that GUI:<BR /> <IMG src="http://docs.splunk.com/images/f/f4/60NewFieldExtraction.png" alt="alt text" /></P> Tue, 24 Feb 2015 23:43:44 GMT aljohnson_splun 2015-02-24T23:43:44Z https://community.splunk.com/t5/Splunk-Search/How-to-customize-raw-data-into-fields-using-regex-before/m-p/159237#M44927 <P>We are ingesting syslog logs. While doing a search and exporting to csv, we would like the raw data column to be split into readable fields. Do I need to use regex? </P> <P>What can I post here so you can see the raw data?</P> Tue, 24 Feb 2015 22:37:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-customize-raw-data-into-fields-using-regex-before/m-p/159237#M44927 zoeygirl45 2015-02-24T22:37:43Z https://community.splunk.com/t5/Splunk-Search/How-to-customize-raw-data-into-fields-using-regex-before/m-p/159238#M44928 <P>you could post a few lines from your logs itself... </P> Tue, 24 Feb 2015 22:52:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-customize-raw-data-into-fields-using-regex-before/m-p/159238#M44928 sk314 2015-02-24T22:52:21Z https://community.splunk.com/t5/Splunk-Search/How-to-customize-raw-data-into-fields-using-regex-before/m-p/159239#M44929 <P>You can try using the "erex" command that Splunk has. This command basically creates your rex call for you.</P> <P>Here's how it works:</P> <PRE><CODE>... YOUR SEARCH ... | erex FIELD_NAME examples="2345,3455,9283" </CODE></PRE> <P>After your search, use the erex command by replacing <CODE>FIELD_NAME</CODE> with a name of your choice and then post <STRONG>real</STRONG> examples of the data that you want to be put in this field (you only need two or three examples). These examples of yours will replace the dummy data that I have above in between quotes. Your examples must be comma separated and surrounded by quotes.</P> <P>After your search runs, the rex command that it creates for you can be found under the "Jobs" tab.</P> Tue, 24 Feb 2015 23:23:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-customize-raw-data-into-fields-using-regex-before/m-p/159239#M44929 rlough 2015-02-24T23:23:14Z https://community.splunk.com/t5/Splunk-Search/How-to-customize-raw-data-into-fields-using-regex-before/m-p/159240#M44930 <UL> <LI>A more permanent solution would be using <STRONG>transforms.conf</STRONG> and <STRONG>props.conf</STRONG>. Docs <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles">here</A>. </LI> <LI>or use the field extractor ? Docs <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/ExtractfieldsinteractivelywithIFX">here</A></LI> <LI>or maybe you just love that web gui ? You can manage extractions there as well. <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Managesearch-timefieldextractions">Here</A></LI> </UL> <HR /> <P>Example: </P> <P><STRONG>Add a new error code field</STRONG><BR /> This example shows how to create a new "error code" field by configuring a field extraction in props.conf. The field can be identified by the occurrence of device_id= followed by a word within brackets and a text string terminating with a colon. The field should be extracted from events related to the testlog source type.</P> <P>In props.conf, add:</P> <PRE><CODE>[testlog] EXTRACT-errors = device_id=\[w+\](?&lt;err_code&gt;[^:]+) </CODE></PRE> <P>Or get jiggy with that GUI:<BR /> <IMG src="http://docs.splunk.com/images/f/f4/60NewFieldExtraction.png" alt="alt text" /></P> Tue, 24 Feb 2015 23:43:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-customize-raw-data-into-fields-using-regex-before/m-p/159240#M44930 aljohnson_splun 2015-02-24T23:43:44Z https://community.splunk.com/t5/Splunk-Search/How-to-customize-raw-data-into-fields-using-regex-before/m-p/159241#M44931 <P>If this is syslog, and your timestamps and events are being recognized correctly, you can use the Field Extractor Utility to extract fields as you desire. And then using the fields and outputcsv commands, you can format how you want your CSV to look.</P> <P>Other options as mentioned are using props and transforms to create your own extractions and fields.</P> Wed, 25 Feb 2015 00:10:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-customize-raw-data-into-fields-using-regex-before/m-p/159241#M44931 esix_splunk 2015-02-25T00:10:00Z