Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field extractions from Application logs - pick specific value

vijjuh
Engager
‎05-06-2024 08:15 AM

I have splunk logs where there is key word like 

<ref>BTB- Abcd1234<ref>

as it's primary key for trade reference and I did extract using delemiter <> , and give field name "my_Ref".

now if search BTB it showing me all the matching reference as my dashboard search string is like <ref>BTB-*<ref> .

now the problem is along with reference i can see some additional line is also getting pick and when is see the event detail my extract field showing that values . 

output from search query : 

index=in_my "<ref>*$Ref$*<ref> | table my_ref | dedup my_ref

1.BTB-Abcd1

2.BTB-Abvd2

3.]...)Application]true ?..

4.BTB-Acdg3

5.BTB-Shfhfj4

now I want to ignore the 3."]...)Application]true "value and don't know how....

can someone please help on the same.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-06-2024 11:00 AM

Ehhh... There are several things wrong here.

Firstly, you should onboard your data properly. For now you think you're having problems with field extractions but you should make sure that:

1) Your data is properly split into separate events

2) Your timestamp is properly recognized

3) Your fields are properly extracted (in this case they most probably be extracted using regexes by anchoring them to known "tags" like your <ref> string)

Additionally, unless you absolutely can't avoid it, you should never use wildcards at the beginning of your search term and avoid using them in the middle of your search term due to performance reasons and consistency of the results. In your case the wildcard is in the middle of the search term but due to it being surrounded by major breakers (the pointy braces) it will be treated as a beginning of a search term. That's a very very bad idea because Splunk has to read all the events you have and can't limit itself to only find events using the indexes it built from parts of your events.

So get your data onboarded properly and the search will be something like

index=my_index my_ref=$Ref$*

And that will be enough

Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Top