topic Field Extraction and search in Splunk Search

Field Extraction and search

cyler — Tue, 29 Sep 2020 18:53:07 GMT

Here is the line in the log I am working with;

Message=COMPUTERNAME [Monday, April 02, 2018 7:15:53 AM (GMT-06:00)]: Status of device 'COMPUTER' changed to Critical: Many viruses detected.

Goal;
I would like to search my database for all logs that have the status "Many viruses detected"

I am newer to splunk, I need to use rex correct? I do not think the field has been extracted yet.

After being able to find all the computers with this log, I would like to extract the field for future use.
My search;
index=my_index | rex field=_raw"(?)Message=(?[a-zA-z0-9:\s[]\-,=`'."]\sMany\sviruses\sdetected"

Re: Field Extraction and search

cyler — Thu, 05 Apr 2018 15:37:40 GMT

My search IS NOT working

Re: Field Extraction and search

richgalloway — Thu, 05 Apr 2018 15:45:52 GMT

To return events with a specific string, just include that string in your base search.

index=my_index "Many viruses detected"

Re: Field Extraction and search

PowerPacked — Thu, 05 Apr 2018 16:25:15 GMT

What value you want to capture from the above event using REX ?

Re: Field Extraction and search

kmaron — Thu, 05 Apr 2018 17:13:25 GMT

If you wanted to extract the computer name, message and status you could try something like this:

rex field=_raw "Status of device '(?<COMPUTERNAME>.*?)' (?<MESSAGE>.*?): (?<STATUS>.*?)\."

Re: Field Extraction and search

cyler — Thu, 05 Apr 2018 18:29:37 GMT

Thank you!

Re: Field Extraction and search

cyler — Thu, 05 Apr 2018 18:29:43 GMT

Thank you!

Re: Field Extraction and search

cyler — Thu, 05 Apr 2018 18:29:53 GMT

Thank you!