Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field extractions from Application logs - pick specific value

vijjuh
Engager
‎05-06-2024 08:15 AM

I have splunk logs where there is key word like 

<ref>BTB- Abcd1234<ref>

as it's primary key for trade reference and I did extract using delemiter <> , and give field name "my_Ref".

now if search BTB it showing me all the matching reference as my dashboard search string is like <ref>BTB-*<ref> .

now the problem is along with reference i can see some additional line is also getting pick and when is see the event detail my extract field showing that values . 

output from search query : 

index=in_my "<ref>*$Ref$*<ref> | table my_ref | dedup my_ref

1.BTB-Abcd1

2.BTB-Abvd2

3.]...)Application]true ?..

4.BTB-Acdg3

5.BTB-Shfhfj4

now I want to ignore the 3."]...)Application]true "value and don't know how....

can someone please help on the same.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-06-2024 11:00 AM

Ehhh... There are several things wrong here.

Firstly, you should onboard your data properly. For now you think you're having problems with field extractions but you should make sure that:

1) Your data is properly split into separate events

2) Your timestamp is properly recognized

3) Your fields are properly extracted (in this case they most probably be extracted using regexes by anchoring them to known "tags" like your <ref> string)

Additionally, unless you absolutely can't avoid it, you should never use wildcards at the beginning of your search term and avoid using them in the middle of your search term due to performance reasons and consistency of the results. In your case the wildcard is in the middle of the search term but due to it being surrounded by major breakers (the pointy braces) it will be treated as a beginning of a search term. That's a very very bad idea because Splunk has to read all the events you have and can't limit itself to only find events using the indexes it built from parts of your events.

So get your data onboarded properly and the search will be something like

index=my_index my_ref=$Ref$*

And that will be enough

Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top