topic Re: How to define a data filter in order to apply different fields extractions for 2 different events from the same source? in Splunk Search

How to define a data filter in order to apply different fields extractions for 2 different events from the same source?

dhantran — Thu, 17 Dec 2015 10:40:36 GMT

Hello,

I am new to Splunk Enterprise

Here is my problem:
I have a data source in the form of text files which contains two type of events, and each can be identified by a string
Ex :

line 1 : XXXX XX XXX ENVXXXXXXXXXXX
line 2 : XXXXXXXXXXORDXXXX XXX XXXXX
line 3 : XXXXXXXXXXORDXXXX XXX XXXXX
etc...

What I'm trying to do is to find a way to extract fields according to each type of event.
I've came up with two fields extractors, one for the line that contains "ENV", and one for "ORD", each contain a regex to extract the information I want.
However, I don't understand how to use them properly yet.
Is there a way to tell Splunk that if it finds lines that contains "ENV", then apply extractor X, otherwise extractor Y ?

Thanks for your help

Re: How to define a data filter in order to apply different fields extractions for 2 different events from the same source?

lguinn2 — Thu, 17 Dec 2015 19:15:33 GMT

Yes, it depends on how you write your regular expression. In fact, I find this easiest to do by editing props.conf directly

[yoursourcetypehere]
EXTRACT-e1=^\d+\s\d+\s(?<field1>\d+)ENV
EXTRACT-e2=ORD(?<field2>\d{4})

With these extractions, only events that match the first pattern (which includes "ENV") will have field1, and only events that match the second pattern (including "ORD") will contain field2

You can make your regular expressions as complex as they need to be, in order to match exactly and only the data you want. Also, you can have a single EXTRACT line that extracts multiple fields at once. But I often find it is easier to write each field extraction separately, as I have done here, especially when the patterns are different.