Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to create a new key-value pair name and value based on text within a log?

jizzmaster
Path Finder
‎02-09-2015 12:38 PM

I would like to create a whole new KV Pair, and based on the text from within a log, give it a specific value.

Example log 1:
user logged on

Example log 2:
user failed logon

Desired KV Pair:
Logon = yes
Logon = no

Is this possible? I suspect this would be done in props.conf, but not sure how to get started.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tpflicke
Path Finder
‎02-10-2015 07:36 AM

The following eval clause might do the trick though it will result in field Logon being present with a blank value if neither phrase is found:

eval Logon=case(match(_raw,"user logged on"), "yes", match(_raw,"user failed logon"),"no",1==1,"")

As jrodman wrote this could be used as part of the search and should also work for creating a calculated field.

Another approach would be using rex mode=sed to change the text:

rex mode=sed field=_raw "s/user logged on/Logon=yes/" | rex mode=sed field=_raw "s/user failed logon/Logon=no/"

You might need a kv or 

| rex field=_raw "Logon=(?<Logon>yes|no)"

to pick up the name value pair.

View solution in original post

Reply
Solved! Jump to solution
Solution

tpflicke
Path Finder
‎02-10-2015 07:36 AM

The following eval clause might do the trick though it will result in field Logon being present with a blank value if neither phrase is found:

eval Logon=case(match(_raw,"user logged on"), "yes", match(_raw,"user failed logon"),"no",1==1,"")

As jrodman wrote this could be used as part of the search and should also work for creating a calculated field.

Another approach would be using rex mode=sed to change the text:

rex mode=sed field=_raw "s/user logged on/Logon=yes/" | rex mode=sed field=_raw "s/user failed logon/Logon=no/"

You might need a kv or 

| rex field=_raw "Logon=(?<Logon>yes|no)"

to pick up the name value pair.

Reply
Solved! Jump to solution

jizzmaster
Path Finder
‎02-10-2015 11:31 AM

That "eval" statement is pretty much exactly what I needed. Along with jrodman's answer, I was able to get this turned into an automatic field extraction by adding it in the props.conf. Thank you both.

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎02-10-2015 06:27 AM

You could construct such a field as part of a search string, or if you wanted it to always be available you could use a calculated field (EVAL-whatever). It's possible you could even express this as a "field extraction" where the value string is hardcoded.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...