- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is it possible to create an event type field withi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to create an event type field within a source type?
Hi,
I was wondering if it was possible to create a field within the source type that would show the event type.
Here is a record from my log:
2016-06-05T19:55:10,144 INFO LoadProperties:225 - LoadProperty - Initial fetch for properties is successful
I would like to have INFO (and other types, like ERROR, WARN etc) as their own field within the source type. How can I do this? I'm new to Splunk and am currently using Splunk Enterprise 6.4.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use the field extractions page to extract fields by sourcetype. Here's docs on that. http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Managesearch-timefieldextractions
Once in IFX, chose to write your own regular expression and enter this. Make sure you set the right permissions, after creating the field.
,\d+\s*(?<type>\w+)
*OR*
(?<type>INFO|WARN|DEBUG|ERROR)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jorell, could you please more info? What i understand is you are looking to create a filed that will hold the INFO,ERROR and WARN values? Is that what you are looking for?
You can extract fields always using regular expressions and eval: https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Extractfieldswithsearchcommands.
Just to give you an idea, i extracted the Value INFO and assigned it to the Key = Level(Log Level)
|gentimes start=-1|eval Event="2016-06-05T19:55:10,144 INFO LoadProperties:225 - LoadProperty - Initial fetch for properties is successfu"|rex field=Event "\s(?P\w+)\s"
Please provide more info with an example if this is not even close to what you're looking for.
Hope this helps!
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Each Log has a type of warning it is after the timestamp, as you've seen. I just want to be able to search for anything that is of the ERROR type, or of the WARN time. So, anyway I can do that will be fine. There is a comma, a number than the log type, which in my example is INFO.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the speedy reply, btw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
np 🙂 Please provide sample events with all possible patterns and we will help you with the dream extraction 🙂
Thanks,
Raghav
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
