Archive

Turning a search into a new field

Contributor

The following search removes usernames, host names, all time information, any digits, and turns all strings of white space into a single "_" for the _raw message.

.... |rex mode=sed "s/[a-z]+\d{1,4}//" |rex mode=sed "s/user\s[a-z]+/user /" 
|rex mode=sed "s/(user|USER)=[a-z]+/user=/" |rex mode=sed "s/\d+//g" 
|rex mode=sed "s/(Jan|January|Feb|Febuary|Mar|March|Apr|April|May|Jun|June|Jul|July|Aug|August|Sep|September|Oct|October|Nov|November|Dec|December|Mon|Tue|Wed|Thu|Fri|Sat|Sun|PM|AM|PDT|PST)//g" 
|rex mode=sed "s/\s+/_/g"| rename _raw AS msgdigest |stats count by msgdigest

I would like to be able to have this "digested" message available as a field does anyone know how to turn this into a field. Preferably with the transforms and extraction pages in manager as I'm currently having unrelated problems with props.conf and transforms.conf files. Please help!

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

A workaround is to create a macro and call it after the search.

For the automatic field extractions (rex command), please see
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextrac...
I never tried to use the mode=sed in the configuration file, I couldn't figure if it's possible.

View solution in original post

0 Karma

Contributor

I'm not really sure what you mean. Where am I using this re? and what do I put in the regex expression if I only have a sed expression?

0 Karma

Super Champion

Did this not work?
Syntax
rex field=

0 Karma

Splunk Employee
Splunk Employee

A workaround is to create a macro and call it after the search.

For the automatic field extractions (rex command), please see
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextrac...
I never tried to use the mode=sed in the configuration file, I couldn't figure if it's possible.

View solution in original post

0 Karma

Contributor

For now a macro seems to be the only option I did manage to avoid my fear in the above comment.

0 Karma

Contributor

A marco would take away the original _raw message, as I have my search now that is. Do you know if that can be avoided?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!