Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

can I combine values from multiple field extractions into a single table field

cbwillh
Path Finder
‎02-01-2019 02:44 PM

We have syslog data from our esxi hosts and typical of esxi logs there are multiple logs with different formats in the message portion of the log.
in short splunk cannot automatically determine which portion of the data is the message since all the logs have a string with nothing to identify the actual message we want to see.
we can see the messages if we do a search and just use verbose and look at the raw logs that are displayed. however I am trying to make it easier to read quickly by creating a table with _time, host, sourcetype, source message
note that "message" is where I want to see the message from all the different logs.

I have manually created field extractions but to get each logs message piece I had to create 9 separately named extractions which I have named:
message_hostd
message_hostdprobe
message_injector
message_rhttpproxy
message_sfcb
message_Vpxa
message_syslog
message_backup
message_crond

what I have been trying to do is funnel all of those field extraction names to the single "message" field in the table portion of my search.

I have been trying to use all of the currently available suggestions found on this site when I search for "combine multiple field extractions into a single table field" but nothing works.

sadly I am not very good with all of the splunk search commands beyond the basics and would really appreciate it if someone with much more knowledge can either point me in the right direction or confirm that what I am trying to do can not be done.

thank you all in advance for your help.

please note that I already have searched this splunk blog and I have tried everything even remotely similar to my described issue that already exists on this site with NO success. so I have definitely done my due diligence before posting here.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-02-2019 09:58 AM

You need the coalesce command like this:

... | eval message = coalesce(message_hostd, message_hostdprobe, message_injector, message_rhttpproxy, message_sfcb, message_Vpxa, message_syslog, message_backup, message_crond)

Also, you can do your field extractions in pairs like this:

EXTRACT-double = (?<message>(?<message_hostd>YourRegExHere))

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-02-2019 09:58 AM

You need the coalesce command like this:

... | eval message = coalesce(message_hostd, message_hostdprobe, message_injector, message_rhttpproxy, message_sfcb, message_Vpxa, message_syslog, message_backup, message_crond)

Also, you can do your field extractions in pairs like this:

EXTRACT-double = (?<message>(?<message_hostd>YourRegExHere))
Reply
Solved! Jump to solution

cbwillh
Path Finder
‎02-04-2019 07:15 AM

Hi Woodcock,
awesome that worked a treat! thanks so much for your help clarifying the command syntax.

I just tried it in my search and it worked exactly as I wanted!

I am awarding points to chrisyoungerjds as well for this. you guys both really helped me out here. very much appreciated!

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-04-2019 10:45 AM

glad you solved it 🙂

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-02-2019 11:10 AM

Yes good one. For some reason I thought coalesce didn't support more than two arguments, but there you go! Thanks.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-01-2019 02:54 PM

This is one way to do it:

| eval message = coalesce(coalesce(coalesce(coalesce(coalesce(coalesce(coalesce(coalesce(message_hostd, message_hostdprobe), message_injector) , message_rhttpproxy) , message_sfcb) , message_Vpxa) , message_syslog) , message_backup ), message_crond)

Oh, I should also mention that if you want, you can have multiple field extractions defined that set the same field value. The first one (in ascii order) will take effect if there are multiple matches. This way you don't need to do the coalescing in your search query.

0 Karma
Reply
Solved! Jump to solution

cbwillh
Path Finder
‎02-04-2019 07:19 AM

Hi Chrisyoungerjds,
thanks so much for your help, I chose the answer from woodcock because he clarified the correct syntax but I wish I could put you both as your suggestion (once I used woodcocks syntax) did work perfectly. I really appreciate your help and I gave you points in lieu of choosing as the answer. thanks again your answer got me on the right track and with the syntax provided by woodcock it worked and did exactly what I was looking for.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...