How do I configure Splunk to extract fields for da...

muellernc · ‎01-11-2016

Dear Splunk-Community,

I loaded Hadoop events in the Following format into Splunk:

In the next step I would like to create a dashboard which displays those values in a table, something like this:

and so on.

I am stuck because Splunk won't recognize those event lines as searchable fields. Any ideas on how I can generate the table from the sample event?

Thanks in advance!

sundareshr · ‎01-11-2016

If you are comfortable change transforms.conf & props.conf, you will need to add a field extraction rule to extract these fields at searchtime. Something like this in your transforms should do it

[your stanza]
REGEX = ([^:]+):(.*)
FORMAT = $1::$2

The other option is to achieve this from web ui (this may be easier with similar results). Here's a link on that http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Managefieldtransforms

Third option, is use the extract command in your search, like this

... | extract pairdelim="\n" kvdelim=":"

This would be my last option.

How do I configure Splunk to extract fields for data coming in via scripted into to produce a table on a dashboard?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation