Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field extractions from Application logs - pick specific value

vijjuh
Engager
‎05-06-2024 08:15 AM

I have splunk logs where there is key word like 

<ref>BTB- Abcd1234<ref>

as it's primary key for trade reference and I did extract using delemiter <> , and give field name "my_Ref".

now if search BTB it showing me all the matching reference as my dashboard search string is like <ref>BTB-*<ref> .

now the problem is along with reference i can see some additional line is also getting pick and when is see the event detail my extract field showing that values . 

output from search query : 

index=in_my "<ref>*$Ref$*<ref> | table my_ref | dedup my_ref

1.BTB-Abcd1

2.BTB-Abvd2

3.]...)Application]true ?..

4.BTB-Acdg3

5.BTB-Shfhfj4

now I want to ignore the 3."]...)Application]true "value and don't know how....

can someone please help on the same.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-06-2024 11:00 AM

Ehhh... There are several things wrong here.

Firstly, you should onboard your data properly. For now you think you're having problems with field extractions but you should make sure that:

1) Your data is properly split into separate events

2) Your timestamp is properly recognized

3) Your fields are properly extracted (in this case they most probably be extracted using regexes by anchoring them to known "tags" like your <ref> string)

Additionally, unless you absolutely can't avoid it, you should never use wildcards at the beginning of your search term and avoid using them in the middle of your search term due to performance reasons and consistency of the results. In your case the wildcard is in the middle of the search term but due to it being surrounded by major breakers (the pointy braces) it will be treated as a beginning of a search term. That's a very very bad idea because Splunk has to read all the events you have and can't limit itself to only find events using the indexes it built from parts of your events.

So get your data onboarded properly and the search will be something like

index=my_index my_ref=$Ref$*

And that will be enough

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...