Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Turning a search into a new field

cpeteman
Contributor
‎08-19-2013 10:12 AM

The following search removes usernames, host names, all time information, any digits, and turns all strings of white space into a single "_" for the _raw message. 

.... |rex mode=sed "s/[a-z]+\d{1,4}//" |rex mode=sed "s/user\s[a-z]+/user /" 
|rex mode=sed "s/(user|USER)=[a-z]+/user=/" |rex mode=sed "s/\d+//g" 
|rex mode=sed "s/(Jan|January|Feb|Febuary|Mar|March|Apr|April|May|Jun|June|Jul|July|Aug|August|Sep|September|Oct|October|Nov|November|Dec|December|Mon|Tue|Wed|Thu|Fri|Sat|Sun|PM|AM|PDT|PST)//g" 
|rex mode=sed "s/\s+/_/g"| rename _raw AS msgdigest |stats count by msgdigest

I would like to be able to have this "digested" message available as a field does anyone know how to turn this into a field. Preferably with the transforms and extraction pages in manager as I'm currently having unrelated problems with props.conf and transforms.conf files. Please help!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎08-19-2013 12:25 PM

A workaround is to create a macro and call it after the search.

For the automatic field extractions (rex command), please see
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextrac...
I never tried to use the mode=sed in the configuration file, I couldn't figure if it's possible.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

cpeteman
Contributor
‎08-20-2013 08:41 AM

I'm not really sure what you mean. Where am I using this re? and what do I put in the regex expression if I only have a sed expression?

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎08-19-2013 03:51 PM

Did this not work?
Syntax
rex field=

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎08-19-2013 12:25 PM

A workaround is to create a macro and call it after the search.

For the automatic field extractions (rex command), please see
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextrac...
I never tried to use the mode=sed in the configuration file, I couldn't figure if it's possible.

0 Karma
Reply
Solved! Jump to solution

cpeteman
Contributor
‎08-26-2013 03:55 PM

For now a macro seems to be the only option I did manage to avoid my fear in the above comment.

0 Karma
Reply
Solved! Jump to solution

cpeteman
Contributor
‎08-19-2013 01:53 PM

A marco would take away the original _raw message, as I have my search now that is. Do you know if that can be avoided?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...