All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create custom fields through which I can extract the following values

infyravi
Explorer
‎01-06-2014 05:45 AM

My log file is having entries like this

CAUSE1= CYLINDER HEAD|COMPLAINT1= A260241 WILL NOT BUILD AIR OR BUILDS SLOWLY | CORRECTION1= AFFIX COMPLETED RECON YELLOW SPECIAL HANDLING TAG TO ALL FAILED MATERIAL AND RETURN: ENG S/N 79138818
CLAIM# 86999 AND CONTROL# 11258066 DIST. CODE 2992 R.O.# 07072 FAILURE

Here "|" is the delimiter in my log file.

I want to show a table like this

CAUSE1 --------- COMPLAINT1 -------- CORRECTIONS1

CYLINDER HEAD ------- A260241 WILL NOT BUILD AIR OR BUILDS-----AFFIX COMPLETED RECON YELLOW SPECIAL HANDLING TAG TO ALL FAILED MATERIAL AND RETURN: ENG S/N 79138818
CLAIM# 86999 AND CONTROL# 11258066 DIST. CODE 2992 R.O.# 07072 FAILURE

These values are not getting autoindexed by splunk so I am not able to perform a simple search like this
sourcetype="test" CORRECTION1="*"

it is not showing any results.

can anyone let me know how to solve this issue

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-06-2014 06:17 AM

On your search head, run a search that will pull up some of your events. Then select "extract fields" from the dropdown to the left of one of the events that contains the data you wish to extract. This will take you the to "Interactive Field Extractor" page. This page going forward should be of great assistance when you wish to extract fields and store them to use in searches.

Now in your case you are looking for a regex that will look something like this (click the "Edit" button under "Generated pattern (regex)", and paste the below regex):

CAUSE1=\s?(?P<CAUSE1>[^|]+)\s?|\s?COMPLAINT1=\s?(?P<COMPLAINT1>[^|]+)\s?|\s?CORRECTION1=\s?(?P<CORRECTION1>[^\n]+)

This will capture everything after "CAUSE1= " and before the first pipe (|) as a field named CAUSE1, everything after "COMPLAINT1= "and before the second pipe (|) as a field named COMPLAINT1, and finally it will capture everything after "CORRECTION1= " until it hits a new line or the event ends as a field named "CORRECTION1". Run the regex by clicking "Apply" and ensure that the data you are looking for has been captured the way you want it. If you are missing something, or the data doesn't look correct, then edit the regex again and try something new.

Once you save your new field extractions, every time you run a search against the sourcetype you linked the extractions to, you will get these fields on the left hand side automatically. You will be able to run such things as [ sourcetype="test" CORRECTION1="*" ]

Hope this helps

View solution in original post

Reply
Solved! Jump to solution

infyravi
Explorer
‎01-06-2014 11:17 PM

Thanks a lot "aholzer". your approach solved my problem.
I created the following fields using your approach

FOR CAUSE 1

CAUSE1=\s?(?P[^|]+)\s?

FOR COMPLAINT

COMPLAINT1=\s?(?P[^|]+)\s?

FOR CORRECTIONS1

CORRECTION1=\s?(?P[^|]+)\s?

SUPPLR_ISSUE_ANALYSYS

SUPPLR_ISSUE_ANALYSYS=\s?(?P[^|]+)\s?

PART_DESC

PART_DESC=\s?(?P[^|]+)\s?

now in search i am able to extract the values.
thanks a lot

0 Karma
Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-06-2014 06:17 AM

On your search head, run a search that will pull up some of your events. Then select "extract fields" from the dropdown to the left of one of the events that contains the data you wish to extract. This will take you the to "Interactive Field Extractor" page. This page going forward should be of great assistance when you wish to extract fields and store them to use in searches.

Now in your case you are looking for a regex that will look something like this (click the "Edit" button under "Generated pattern (regex)", and paste the below regex):

CAUSE1=\s?(?P<CAUSE1>[^|]+)\s?|\s?COMPLAINT1=\s?(?P<COMPLAINT1>[^|]+)\s?|\s?CORRECTION1=\s?(?P<CORRECTION1>[^\n]+)

This will capture everything after "CAUSE1= " and before the first pipe (|) as a field named CAUSE1, everything after "COMPLAINT1= "and before the second pipe (|) as a field named COMPLAINT1, and finally it will capture everything after "CORRECTION1= " until it hits a new line or the event ends as a field named "CORRECTION1". Run the regex by clicking "Apply" and ensure that the data you are looking for has been captured the way you want it. If you are missing something, or the data doesn't look correct, then edit the regex again and try something new.

Once you save your new field extractions, every time you run a search against the sourcetype you linked the extractions to, you will get these fields on the left hand side automatically. You will be able to run such things as [ sourcetype="test" CORRECTION1="*" ]

Hope this helps

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-06-2014 06:41 AM

Also, ensure to change the permission of field extraction to global so that they are available from any app.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...