topic Re: Creating an interesting field? in Splunk Search

Creating an interesting field?

cruzalan90 — Mon, 13 May 2013 21:41:18 GMT

I have a log set up as: timestamp, user account, query

Splunk is not identifying the second column as 'user account' mostly because there isn't anything to identify it as a user account (no column title)....is there anyway to make Splunk read this column so that it will show as an interesting field regardless of the value?

Log sample:
2013-05-13 15:00:00,000 C012345(user account #)
2013-05-13 15:00:00,000 C543210

Re: Creating an interesting field?

wrangler2x — Mon, 13 May 2013 23:03:48 GMT

You should be able to accomplish this by reading this documentation:

http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime

You'll eventually want to create a field extract in the Manager. But before you do, use the rex command to create a field extract on-the-fly. The '...' in the example below represents your search, then just tack-on the rex. 'user_id' can be any name you want it to be.

... | rex "^(?:[^ ]* ){2}(?<user_id>[^ ]+)\s"

The first section skips the data and time fields, and the second part picks up the third field and assigns it to the field name 'user_id'. Then you can do the search, and look at your menu of field names, and click on the field to see what it is capturing.

Once you have this working that way you want it to, take everything inside the quotes for the rex and put it into a new field extract via the manager.

Re: Creating an interesting field?

cruzalan90 — Tue, 14 May 2013 14:25:38 GMT

Something is still not right.

The rex command is very close to what I'm looking for but it looks like timestamp and account ID are being identified as column 1.

Right now: 2013-05-13 15:00:00,000 C012345 = Column 1

Should be:
2013-05-13 15:00:00,000 = Column 1

C012345 = Column 2

I'm still fairly new to Splunk so what can I do to separate timestamp from account ID first before I can apply the rex command?

Thank you!

Re: Creating an interesting field?

wrangler2x — Tue, 14 May 2013 15:29:24 GMT

I don't understand what you mean by column 1, so let's start with you posting some more information.

Let's see the actual search you are using.
Let's see the search result (cut and paste) for one record.
Let's see the raw data. To do this, on one record of the search result you click on the blue box with the white arrow to reveal a 3-item menu. Click on "show source" and then copy and paste the record that is highlighted.

Re: Creating an interesting field?

wrangler2x — Tue, 14 May 2013 15:32:04 GMT

As far as the rex goes, and in your example (2013-05-13 15:00:00,000 C012345) it is skipping 2013-05-13 and 15:00:00,000 and then picking up C012345 as a field extract under the label user_id. It does not affect the output of your search other than to make this field available by name, and then to appear under "Interesting Field(s)" unless you have selected it to appear in the "selected fields" list.

Splunk should automagically have figured out the date field and the time fields. timestartpos shows where it sees these beginning (should be zero) and timeendpos where it ends. Also date_ fields.

Re: Creating an interesting field?

cruzalan90 — Mon, 28 Sep 2020 13:53:59 GMT

What I meant by columns was referring to the actual logs.

index = hrfarm | rex "^(?:[^ ]* ){2}(?[^ ]+)\s"
2013-05-13 17:32:26,962 C083363 /* GUID: C083363 */ select permission1_.PermissionId as col_0_0_ from...

Rex command works just not the correct position and when I change the position to either {1} or {3} its still not correct.

Interesting field "account_ID"
position {2} returns: GUID: or sometimes commands:
position {1} returns: 2013-05-13 17:32:26,962 C083363
position {3} returns: GUID: C083363 (close but I want the first account ID value)