Getting Data In

Field extractions from Application logs - pick specific value

vijjuh
Engager

I have splunk logs where there is key word like 

<ref>BTB- Abcd1234<ref>

as it's primary key for trade reference and I did extract using delemiter <> , and give field name "my_Ref".

now if search BTB it showing me all the matching reference as my dashboard search string is like <ref>BTB-*<ref> .

now the problem is along with reference i can see some additional line is also getting pick and when is see the event detail my extract field showing that values . 

output from search query : 

index=in_my "<ref>*$Ref$*<ref> | table my_ref | dedup my_ref

1.BTB-Abcd1

2.BTB-Abvd2

3.]...)Application]true ?..

4.BTB-Acdg3

5.BTB-Shfhfj4

now I want to ignore the 3."]...)Application]true "value and don't know how....

can someone please help on the same.

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ehhh... There are several things wrong here.

Firstly, you should onboard your data properly. For now you think you're having problems with field extractions but you should make sure that:

1) Your data is properly split into separate events

2) Your timestamp is properly recognized

3) Your fields are properly extracted (in this case they most probably be extracted using regexes by anchoring them to known "tags" like your <ref> string)

Additionally, unless you absolutely can't avoid it, you should never use wildcards at the beginning of your search term and avoid using them in the middle of your search term due to performance reasons and consistency of the results. In your case the wildcard is in the middle of the search term but due to it being surrounded by major breakers (the pointy braces) it will be treated as a beginning of a search term. That's a very very bad idea because Splunk has to read all the events you have and can't limit itself to only find events using the indexes it built from parts of your events.

So get your data onboarded properly and the search will be something like

index=my_index my_ref=$Ref$*

And that will be enough

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...