- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I am fairly new to Splunk and have been working on the following search time field extraction to grab windows formatted filenames from various different custom logs and was wondering if and how somehting like this can be made to automatically extract fields for a giver app. I believe this will require work in props.conf and use of SED scripts but was wondering if anyone could point me into the right direction as I wouldn't know where to start. Any help would be greatly appreciate:
| rex "(?(( |TrustedInsta|//)+[-a-zA-Z0-9)/(. ]+.(exe|dll|bat)$))" | rex mode=sed field=extractfilename "s/^[a-zA-Z0-9][ ]+ //" | rex mode=sed field=extract_filename "s/^ *//" | rex mode=sed field=extract_filename "s/^TrustedInsta//" | rex "(?(\+[a-zA-Z0-9]+.(exe|dll|bat)\"))" | eval FILE=mvappend(extractfilename, " ", extractfilename2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sedcmd in props.conf
here is an example:
[your sourcetype]
sedcmd-extractfilename = s\/^[a-zA-Z0-9][ ]+ \/\/g
This of course if your regex is working properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Revive old post.
I have lines of data with below values
WORK_ORD_NO,ACT_ID,ACT_NO,ACT_NM,STATUS_CD,LAST_UPDATE_DT,DELAY_REASON_DESC
AFP5850001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND:62364588:
AFP5849001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND:62645015:
AFP5843001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND:62625062:
I expect results like below:
WORK_ORD_NO,ACT_ID,ACT_NO,ACT_NM,STATUS_CD,LAST_UPDATE_DT,DELAY_REASON_DESC
AFP5850001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND::
AFP5849001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND::
AFP5843001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND::
And I use sed stanza like below
props.conf
[source::C:\Program Files\Splunk/etc/apps/MySampleApp/samples/Order_Activities.csv]
SEDCMD-LINE_ID_NOT_FOUND = -r s/LINE_ID_NOT_FOUND:([0-9]){8}/LINE_ID_NOT_FOUND/g
but not working!
Appreciate if any experts can help me here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed!
[source::C:Program FilesSplunk/etc/apps/MySampleApp/samples/Order_Activities.csv]
SEDCMD-LINE_ID_NOT_FOUND = -r s/LINE_ID_NOT_FOUND:([0-9]){8}/LINE_ID_NOT_FOUND/g
[Order_Activities.csv]
SEDCMD-LINE_ID_NOT_FOUND = s/LINE_ID_NOT_FOUND:[0-9]*/LINE_ID_NOT_FOUND/g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sedcmd in props.conf
here is an example:
[your sourcetype]
sedcmd-extractfilename = s\/^[a-zA-Z0-9][ ]+ \/\/g
This of course if your regex is working properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah great actually all I needed to know my stuff is all good now thanks for the nudge.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure here are a few different one which the above work with
07/13/2009 09:41 PM 169,472 NT SERVICE\TrustedInstaPortableDeviceWiaCompat.dll
0x00000000fd1b0000 0x51000 C:\WINDOWS\system32\msv10.DLL
The field extraction itself is working to my liking. My problem is getting the series of SED and REX into the config files as to automatically extract the FILE field when accessing a particular app or whatnot.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide a sample event?
