I am really new to Splunk, but I have searched the questions here and don't seem to find an answer to my problem. I have just started the online sandbox and am messing around with a log file from one of our applications (so it is a custom log file).
A line in the log file looks like this:
[08/03/14 03:07:49, 127.0.0.1, N/A] [Source: 10.50.2.15:55000] PresenceSensor: Sensor 00:00:CC:DD:00:00 rebooted
What I want to do is extract the MAC Address from this line and then create a bar graph showing when this line was recorded for a particular MAC Address.
I loaded in the file and I see the indexed data. It automatically separated the date out and the rest of the stuff is in the 'Event' column. I created an Extract Field with this config:
Trace : EXTRACT-mac_address Inline ([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$
admin search Global | Permissions Enabled
Now, I go back the search area and I don't see this field anywhere. Isn't it supposed to just show up? How do I make use of this extracted field?
- I have check the sourcetype
- I have opened up the 'More Fields' area and it is not there even with the 'All fields' option at the top
- I have adjusted the permissions (they are completely global and for every app)
What am I missing? It is probably something obvious, so please be gentle.
Well, I have figured out a few things last night that helped me understand why things sometimes don't show.. writing it here for other newbies to reference. Thanks to everyone for responding, the answers definitely helped me eliminate things:
Well, I have figured out a few things last night that helped me understand why things sometimes don't show.. writing it here for other newbies to reference. Thanks to everyone for responding, the answers definitely helped me eliminate things:
Ran that it is got rid of all the indexed stuff... at least, it then showed zero events and the data screen said 'Waiting for Data'. I reloaded the log file in, checked to make sure the extraction field was still there, and then to the search area. Still has the defaults and my field does not show. I feel like I am missing something simple... I really appreciate your help on this. Maybe this is a problem with the cloud sandbox instance?
Can you try running this and see if the field appears?
sourcetype=Trace | extract reload=t
Hmm... still doesn't show up. I modified my extraction field to the below and then went back to the search area and only the regular fields are there.
https://www.dropbox.com/s/h821lgztz2tm5ef/extraction_field.PNG
which has these params:
Trace : EXTRACT-mac_address
Inline
Sensor (?
admin
search
Global | Permissions
Enabled
Here is a pic of my search screen:
https://www.dropbox.com/s/3314frx2bea5psf/Search_Screen.PNG
I was coming to that 🙂
Now, create the field extraction with following configuration:
Name: mac_address
Sourcetype: Trace
Type: Inline
Extraction/Transform:Sensor (?
And you should see the field extracted automatically on the sidebar. (Basically, use whatever you mentioned in rex command in the field extraction regex)
When I test this:
sourcetype=Trace | rex "Sensor (?
It creates a field called 'example_mac' that shows on the left... While that is not surprising, it still leaves my original question open. I defined an extraction field called mac_address and that does not show up anywhere and does not seem to be able to be used. ??
I put in this string:
sourcetype=Trace | table _raw | rex "Sensor (?
I get every event returned, the field does not show up in the search field list, and my other field 'mac_address' goes away.
Can you test following and tell me if you get the field MAC_ADDR?
your base search | table _raw | rex "(?
I finally got the field to show up... but am not really sure why or if it is even the configured extraction field. All I did was put this line in:
sourcetype=Trace | rex "Sensor (?
All of a sudden, the field is now present on the left side of the search area and I could click on it and ask to graph it over time... got my graph. If anyone can explain that, please do.
Have you verified that it's extracting events properly now? Use the IFX tool, which you get to by clicking the Extract Fields menu option on an event in search.
OK, I have changed the regex for the extract field to that, thank you. My original problem still exists though, where this new field does not show up for me in the list of fields for search, how do I get it to show there?
try this regex.([A-F0-9]{2}[:-]){5}[A-F0-9]{2}
ok, I am sure the regex is probably not correct. Will bad regex mean that the extract field does not even show? I guess I was expecting the field to show and then just have zero results or an error if the regex was bad... but the field not showing up at all made me think I have an earlier step wrong.
Your regex says to expect the MAC address at the end of the line, but the MAC address is not at the end.