Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to extract fields from raw logs, how can I extract fields in this case?

POR160893
Builder
‎05-11-2022 07:47 AM

Hi,

I have a number of raw logs that I need to extract some fields from.

When I go to "Event Actions" and then "Extract Fields", I normally get the following:

POR160893_1-1652280461432.png

However, I am dealing with a number of logs for one index where I get this instead and I cannot extract anything:

POR160893_0-1652280439672.png

How can I extract fields in this case?


Thanks,
Patrick

Labels (1)
Labels
0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎05-11-2022 07:54 AM

There are multiple ways to extract fields without using the interactive field extractor.
If you are comfortable with regex, You can try to use the |rex command to start building your extractions in search. After that you can just place them on a props.conf, or add them via settings >> fields >> field extractions.

If you are not comfortable with regex, you can post a sample of your data and we can help you out with that. 😉

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...