topic Field extraction with duplicate values in fields in Splunk Search

Field extraction with duplicate values in fields

kmattern — Thu, 15 Apr 2010 00:22:31 GMT

Splunk 4.0.10

I have a log file that has 5 fields, date, time, account, received, authorized. It looks like this:

4/14/2010 11:25:08 washington-i 0 13

4/14/2010 11:25:08 jefferson-i 13 13

4/14/2010 11:25:08 jackson-i 13 13

4/14/2010 11:25:08 madison-i 13 13

4/14/2010 11:25:08 polk-i 13 13

4/14/2010 11:25:08 lincoln 12 12

4/14/2010 11:25:08 carter 0 4

4/14/2010 11:25:08 reagan 7 7

4/14/2010 11:25:08 johnson-I 12 12

4/14/2010 11:25:08 eisenhauer 7 7

4/14/2010 11:25:08 jefferson-1 13 13

When I do a search and click on extract fields I can't get Splunk to recognize every received field and it refuses to see the authorized field. I need to be able to generate a report that will display the difference between these two fields. How do I get Splunk to extract these fields?

Re: Field extraction with duplicate values in fields

bwooden — Thu, 15 Apr 2010 02:09:13 GMT

One option may be to do this via transforms.conf

To get started you could add or append these two files on your Splunk search instance.

$SPLUNK_HOME/etc/system/local/props.conf
[unknown-too_small]
KV_MODE = none
REPORT-foo = RecAuthz

$SPLUNK_HOME/etc/system/local/transforms.conf
[RecAuthz]
REGEX = ([0-9]+/[0-9]+/[0-9]+)\s([0-9|:]+)\s(\S+)\s(\d+)\s(\d+)
FORMAT = date::$1 time::$2 account::$3 received::$4 authorized::$5

---
Alternate transforms.conf (easier to read solution)
[RecAuthz]
DELIMS = " "
FIELDS = "date", "time", "account", "received", "authorized"

Re: Field extraction with duplicate values in fields

bwooden — Thu, 15 Apr 2010 02:35:15 GMT

...assuming you're an admin on that instance.

Re: Field extraction with duplicate values in fields

kmattern — Thu, 15 Apr 2010 02:51:15 GMT

Thanks, that worked!