Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field extractions from Application logs - pick specific value

vijjuh
Engager
‎05-06-2024 08:15 AM

I have splunk logs where there is key word like 

<ref>BTB- Abcd1234<ref>

as it's primary key for trade reference and I did extract using delemiter <> , and give field name "my_Ref".

now if search BTB it showing me all the matching reference as my dashboard search string is like <ref>BTB-*<ref> .

now the problem is along with reference i can see some additional line is also getting pick and when is see the event detail my extract field showing that values . 

output from search query : 

index=in_my "<ref>*$Ref$*<ref> | table my_ref | dedup my_ref

1.BTB-Abcd1

2.BTB-Abvd2

3.]...)Application]true ?..

4.BTB-Acdg3

5.BTB-Shfhfj4

now I want to ignore the 3."]...)Application]true "value and don't know how....

can someone please help on the same.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-06-2024 11:00 AM

Ehhh... There are several things wrong here.

Firstly, you should onboard your data properly. For now you think you're having problems with field extractions but you should make sure that:

1) Your data is properly split into separate events

2) Your timestamp is properly recognized

3) Your fields are properly extracted (in this case they most probably be extracted using regexes by anchoring them to known "tags" like your <ref> string)

Additionally, unless you absolutely can't avoid it, you should never use wildcards at the beginning of your search term and avoid using them in the middle of your search term due to performance reasons and consistency of the results. In your case the wildcard is in the middle of the search term but due to it being surrounded by major breakers (the pointy braces) it will be treated as a beginning of a search term. That's a very very bad idea because Splunk has to read all the events you have and can't limit itself to only find events using the indexes it built from parts of your events.

So get your data onboarded properly and the search will be something like

index=my_index my_ref=$Ref$*

And that will be enough

Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...