All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to create custom fields through which I can extract the following values

infyravi
Explorer
‎01-06-2014 05:45 AM

My log file is having entries like this

CAUSE1= CYLINDER HEAD|COMPLAINT1= A260241 WILL NOT BUILD AIR OR BUILDS SLOWLY | CORRECTION1= AFFIX COMPLETED RECON YELLOW SPECIAL HANDLING TAG TO ALL FAILED MATERIAL AND RETURN: ENG S/N 79138818
CLAIM# 86999 AND CONTROL# 11258066 DIST. CODE 2992 R.O.# 07072 FAILURE

Here "|" is the delimiter in my log file.

I want to show a table like this

CAUSE1 --------- COMPLAINT1 -------- CORRECTIONS1

CYLINDER HEAD ------- A260241 WILL NOT BUILD AIR OR BUILDS-----AFFIX COMPLETED RECON YELLOW SPECIAL HANDLING TAG TO ALL FAILED MATERIAL AND RETURN: ENG S/N 79138818
CLAIM# 86999 AND CONTROL# 11258066 DIST. CODE 2992 R.O.# 07072 FAILURE

These values are not getting autoindexed by splunk so I am not able to perform a simple search like this
sourcetype="test" CORRECTION1="*"

it is not showing any results.

can anyone let me know how to solve this issue

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-06-2014 06:17 AM

On your search head, run a search that will pull up some of your events. Then select "extract fields" from the dropdown to the left of one of the events that contains the data you wish to extract. This will take you the to "Interactive Field Extractor" page. This page going forward should be of great assistance when you wish to extract fields and store them to use in searches.

Now in your case you are looking for a regex that will look something like this (click the "Edit" button under "Generated pattern (regex)", and paste the below regex):

CAUSE1=\s?(?P<CAUSE1>[^|]+)\s?|\s?COMPLAINT1=\s?(?P<COMPLAINT1>[^|]+)\s?|\s?CORRECTION1=\s?(?P<CORRECTION1>[^\n]+)

This will capture everything after "CAUSE1= " and before the first pipe (|) as a field named CAUSE1, everything after "COMPLAINT1= "and before the second pipe (|) as a field named COMPLAINT1, and finally it will capture everything after "CORRECTION1= " until it hits a new line or the event ends as a field named "CORRECTION1". Run the regex by clicking "Apply" and ensure that the data you are looking for has been captured the way you want it. If you are missing something, or the data doesn't look correct, then edit the regex again and try something new.

Once you save your new field extractions, every time you run a search against the sourcetype you linked the extractions to, you will get these fields on the left hand side automatically. You will be able to run such things as [ sourcetype="test" CORRECTION1="*" ]

Hope this helps

View solution in original post

Reply
Solved! Jump to solution

infyravi
Explorer
‎01-06-2014 11:17 PM

Thanks a lot "aholzer". your approach solved my problem.
I created the following fields using your approach

FOR CAUSE 1

CAUSE1=\s?(?P[^|]+)\s?

FOR COMPLAINT

COMPLAINT1=\s?(?P[^|]+)\s?

FOR CORRECTIONS1

CORRECTION1=\s?(?P[^|]+)\s?

SUPPLR_ISSUE_ANALYSYS

SUPPLR_ISSUE_ANALYSYS=\s?(?P[^|]+)\s?

PART_DESC

PART_DESC=\s?(?P[^|]+)\s?

now in search i am able to extract the values.
thanks a lot

0 Karma
Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-06-2014 06:17 AM

On your search head, run a search that will pull up some of your events. Then select "extract fields" from the dropdown to the left of one of the events that contains the data you wish to extract. This will take you the to "Interactive Field Extractor" page. This page going forward should be of great assistance when you wish to extract fields and store them to use in searches.

Now in your case you are looking for a regex that will look something like this (click the "Edit" button under "Generated pattern (regex)", and paste the below regex):

CAUSE1=\s?(?P<CAUSE1>[^|]+)\s?|\s?COMPLAINT1=\s?(?P<COMPLAINT1>[^|]+)\s?|\s?CORRECTION1=\s?(?P<CORRECTION1>[^\n]+)

This will capture everything after "CAUSE1= " and before the first pipe (|) as a field named CAUSE1, everything after "COMPLAINT1= "and before the second pipe (|) as a field named COMPLAINT1, and finally it will capture everything after "CORRECTION1= " until it hits a new line or the event ends as a field named "CORRECTION1". Run the regex by clicking "Apply" and ensure that the data you are looking for has been captured the way you want it. If you are missing something, or the data doesn't look correct, then edit the regex again and try something new.

Once you save your new field extractions, every time you run a search against the sourcetype you linked the extractions to, you will get these fields on the left hand side automatically. You will be able to run such things as [ sourcetype="test" CORRECTION1="*" ]

Hope this helps

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-06-2014 06:41 AM

Also, ensure to change the permission of field extraction to global so that they are available from any app.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...