All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Limit in field extraction rule length or buggy web surface?

splunkbeginner2
Path Finder
‎07-03-2014 12:09 PM

Hello,

tried to create a rule, to extract all fields of a csv table. Unfortunately the field extractor (the new App) causes problems after a certain length of the RegEx). The problem is, that the input length in the browser is limited. Is there something more behind it and I am just using the field extractions in the wrong way? Or is it again just another really annoying bug in the splunk web surface?

(Like the problems caused, when you want to edit a long saved search and have problems with the input window that each time jumps back to its unbelievable tiny size and you have to use an external editor like notepad to edit the query.. or die in scrolling. (Splunk gots beaten by notepad. Thats hard - and not really a pro to buy it..!))

Kind regards,
Xantor

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-03-2014 12:48 PM

Splunk comes with an understanding of CSV data out of the box. Take a look at http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Extractfieldsfromfileheadersatindextime for a start.

View solution in original post

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎07-04-2014 12:18 AM

Normally, you wouldn't need regex extractions for CSV data. Have you looked at the DELIMS and FIELDS (in transforms.conf) combination with a REPORT (in props.conf)?

props.conf
[your_sourcetype]
REPORT-blah = my_csv_extractor

transforms.conf
[my_csv_extractor]
DELIMS = ","
FIELDS = field1, field2, field3 etc etc

/K

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-03-2014 12:48 PM

Splunk comes with an understanding of CSV data out of the box. Take a look at http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Extractfieldsfromfileheadersatindextime for a start.

Reply
Solved! Jump to solution

splunkbeginner2
Path Finder
‎07-06-2014 01:22 AM

Hey, I am sorry it took me some time until I could review this problem. For this case its a good solution for the basic problem.
I think I should be able to use a FIELD_HEADER_REGEX to filter out all Headers, even though they might be repeated every 200 lines, or?

0 Karma
Reply
Solved! Jump to solution

splunkbeginner2
Path Finder
‎07-03-2014 12:44 PM

Well it looks, like this is just a limit in the webinterface. Nevertheless: Is there a better way for field extractions of the data? Or is this acceptable. We will get about 20MB/Day in this logs, and the csvtable has 24 columns and each event has a length of about 220 chars.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...