https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-fields-from-a-space-delimited-event-with/m-p/188168#M54210 <P>A field definition is ultimately a regular expression. You can certainly write a regular expression that would include spaces - or anything else! Of course, for a complicated event, the regular expressions may be complex as well.</P> <P>You might be able to avoid writing your own regular expression if your data is one of the <A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Listofpretrainedsourcetypes">pretrained sourcetypes</A>, or if there is an <A href="http://splunkbase.com">app</A> for the data.</P> <P>The timestamp is a special case. Splunk's default timestamp extraction is not confused by spaces, although it might have some problem with the fact that there are 3 timestamps in the event! Which one is the event time? Again, you can use regular expressions to help Splunk identify the proper time stamp; <A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/ConfigurePositionalTimestampExtraction">here</A> is some info in the documentation.</P> <P>I frankly think that "grouping fields" on the fly is an inconvenient way to do things. Remember that field extractions are dynamic - you can change them at any time. So even if you have already indexed the data, you can change the field definitions. [Exception: unless you used "index time" field extractions - which you should avoid as much as possible.]</P> <P>If you need help writing the regular expressions, tell us exactly how you want the fields broken out in this event...</P> Fri, 28 Aug 2015 00:35:40 GMT lguinn2 2015-08-28T00:35:40Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-fields-from-a-space-delimited-event-with/m-p/188166#M54208 <P>How would I go along extracting fields for the below? The challenge I am seeing is that it seems to be delimited by space, but the values themselves can contain a space. For example, the header datatime has space, and the user agent has spaces (though the latter has quotes around it). </P> <P>What would be the best approach for extracting fields from this data?</P> <PRE><CODE>Aug 27 17:48:19 10.252.22.22 Aug 27 10:46:48 10.251.106.44 2015-08-27 17:35:43 19 10.234.37.191 - - - OBSERVED "News/Media" <A href="http://bits.blogs.nytimes.com/2015/08/26/facebook-tests-a-digital-assistant-for-its-messaging-app/?_r=0" target="test_blank">http://bits.blogs.nytimes.com/2015/08/26/facebook-tests-a-digital-assistant-for-its-messaging-app/?_r=0</A> 200 TCP_HIT GET image/jpeg http graphics8.nytimes.com 80 /images/2015/08/28/business/28eugoogle-web/28eugoogle-web-mediumThreeByTwo210.jpg - jpg "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36" 10.251.106.44 8762 4053 - "none" "none" </CODE></PRE> Thu, 27 Aug 2015 19:36:00 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-fields-from-a-space-delimited-event-with/m-p/188166#M54208 jamesvz84 2015-08-27T19:36:00Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-fields-from-a-space-delimited-event-with/m-p/188167#M54209 <P>What do you think about using the space as field separator and after discover all, group some fields in eventtypes for example? Also you can use eval functions.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/eventtypesconf">Use eventtypes</A></P> <P><A href="http://answers.splunk.com/answers/5726/group-by-different-fields-based-on-some-other-field.html">Group using eval</A></P> Thu, 27 Aug 2015 21:30:37 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-fields-from-a-space-delimited-event-with/m-p/188167#M54209 changux 2015-08-27T21:30:37Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-fields-from-a-space-delimited-event-with/m-p/188168#M54210 <P>A field definition is ultimately a regular expression. You can certainly write a regular expression that would include spaces - or anything else! Of course, for a complicated event, the regular expressions may be complex as well.</P> <P>You might be able to avoid writing your own regular expression if your data is one of the <A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Listofpretrainedsourcetypes">pretrained sourcetypes</A>, or if there is an <A href="http://splunkbase.com">app</A> for the data.</P> <P>The timestamp is a special case. Splunk's default timestamp extraction is not confused by spaces, although it might have some problem with the fact that there are 3 timestamps in the event! Which one is the event time? Again, you can use regular expressions to help Splunk identify the proper time stamp; <A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/ConfigurePositionalTimestampExtraction">here</A> is some info in the documentation.</P> <P>I frankly think that "grouping fields" on the fly is an inconvenient way to do things. Remember that field extractions are dynamic - you can change them at any time. So even if you have already indexed the data, you can change the field definitions. [Exception: unless you used "index time" field extractions - which you should avoid as much as possible.]</P> <P>If you need help writing the regular expressions, tell us exactly how you want the fields broken out in this event...</P> Fri, 28 Aug 2015 00:35:40 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-fields-from-a-space-delimited-event-with/m-p/188168#M54210 lguinn2 2015-08-28T00:35:40Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-fields-from-a-space-delimited-event-with/m-p/188169#M54211 <P>11/06/2018 01:31:21.784 (# 178) (58w8239-11212-2001-0078-00999393003903) Director (Director, 63) 1</P> <P>I need to get (5***) as a field in the above log</P> Tue, 06 Nov 2018 07:34:02 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-fields-from-a-space-delimited-event-with/m-p/188169#M54211 bschaithnyakuma 2018-11-06T07:34:02Z