All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk DB Connect 2.3.0: How to properly extract fields from database events that contain spaces in the field names?

bharathkumarnec
Contributor
‎11-23-2016 04:24 AM

Hello All,

We are using Splunk DB Connect 2.3.0. Below are the sample of events:

Severity Code = "103",Transition Code="111"

"Severity Code" & Transition Code" are not showing in the fields list. Instead, we are able to see only fields with name "Code", as there is a white space in between the two words of the field names.

How to extract fields completely with "Severity Code" & "Transition Code"?

Kindly help me out.

Regards,

0 Karma
Reply

rodrigorsilva
Communicator
‎11-23-2016 10:23 AM

It would be simpler to adjust the input, avoid writing a regex...

Example: Select `Severity Code` as Severity_Code, `Transition Code` as Transition_Code from [your_table] ...

Tks

Rodrigo Ribeiro

0 Karma
Reply

bharathkumarnec
Contributor
‎11-23-2016 04:50 AM

We have not explicitly specified sourcetype for these events, our db connect app configured in Search head server.

If we need to specify the sourcetype, what all we need to include and this sourcetype stanza should be in searchhead, indexer or both??

Thanks for your help!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-23-2016 07:29 AM

It's a Splunk Best Practice to explicitly specify a sourcetype for all inputs. It should be defined on the node where DB Connect is running. Choose the best props.conf settings for your data. If you elect to use REGEX string, this one may get you started: Severity Code = "(?<severity>\d+)",Transition Code="(?<transition>\d+)".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-23-2016 04:46 AM

What sourcetype are you using and what are the props.conf settings for that sourcetype?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...