topic Re: Field Extraction in Splunk Search

Field Extraction

visa87 — Wed, 07 Jan 2015 05:59:22 GMT

Hi,

I am trying to read some systemout log files and extract data from it.
Sample info in the log is as below :

Field1 Accept Indicator :: true
Field1 Accept Indicator :: false
Field2 Accept Indicator :: true
Field2 Accept Indicator :: false
Total Time Taken by ReqA****156
etc

I am new to Splunk and not sure what is the correct approach to get these fields extracted..
I tried using the regex generated by Field Extraction but it does not give accurate results.

Can anyone help me with the regex as well?

Re: Field Extraction

esix_splunk — Wed, 07 Jan 2015 06:04:00 GMT

First off, let us know what fields you want to extract, and what the values in your representative data looks like.. Then we can help!

Re: Field Extraction

visa87 — Wed, 07 Jan 2015 06:46:03 GMT

I want to extract the time taken as a field and the numeric value as the value for tat field. Similarly I want Field 1 Accept Indicator as a field F1 which can either have true or false as value

Re: Field Extraction

esix_splunk — Wed, 07 Jan 2015 06:59:24 GMT

You can do regex as follows:

.. | rex field=_raw "Field1.*\:\:\s(?<f1_value>\w+)"

That would get this for Field1, you can modify for each field, assuming this is a single line event.

For the total time event-

.. | rex field=_raw "ReqA(?<time_value>\d+)"

Again, these are for single line events. You can drop those regex's into props.conf or transforms for your sourcetime and extract them there.

Re: Field Extraction

visa87 — Thu, 08 Jan 2015 04:49:20 GMT

Thanks... That helped. But I dont understand what can be achieved by adding these regex to transforms.

Re: Field Extraction

abacus_machine_ — Thu, 08 Jan 2015 08:44:28 GMT

Then you can accept the answer which helped you.

Re: Field Extraction

esix_splunk — Thu, 08 Jan 2015 09:08:31 GMT

For understanding the difference between having your extractions in props.conf vs transforms.conf, reading through the spec file for props.conf can be quite englightening:

http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/Propsconf

Defining new search-time field extractions. You can define basic search-time field
extractions entirely through props.conf. But a transforms.conf component is required if
you need to create search-time field extractions that involve one or more of the following:
* Reuse of the same field-extracting regular expression across multiple sources,
source types, or hosts.
* Application of more than one regex to the same source, source type, or host.
* Delimiter-based field extractions (they involve field-value pairs that are
separated by commas, colons, semicolons, bars, or something similar).
* Extraction of multiple values for the same field (multivalued field extraction).
* Extraction of fields with names that begin with numbers or underscores.