Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

different formats - same field

a212830
Champion
‎02-12-2014 05:53 PM

Hi,

I have a syslog feed from two servers, that use a different format. The first feed has a nice key-value pair, and the field (user) is automatically created by Splunk. The second one has the field value, but I need to create the field (which I can do). How can I report on both of them as the "user" field and get a count of the number of times for each value?

Tags (2)
Reply

asimagu
Builder
‎02-12-2014 06:06 PM

Just create your field extraction as usual. If you require any help with that we need to see a sample from your log. You can create several conditions for field extractions so two different formats is not a problem

about the stat you want: stats count by user

Edit:
Try this field extraction:

\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\s\-\s\w+\s\-\s\[(\d+\.){3}\d+\]\s(?P<user>[^\(]+)\(
Reply

asimagu
Builder
‎02-12-2014 10:11 PM

glad it worked 😉 could you validate the answer then?

0 Karma
Reply

a212830
Champion
‎02-12-2014 07:22 PM

Oooooooh, never done that one. Thanks! It works! Spend too much time on "admining" the systems and not enough time doing searches!

Reply

asimagu
Builder
‎02-12-2014 06:39 PM

sorry, I assumed you knew how to create a field extraction. There are two ways: using the Manager or doing an inline extraction

Inline extraction, you need to pipe this in the search:
| rex field=_raw "<the regular expression from above"

Using the manager:
Create field extractions -> New Extraction -> Complete the form with the sourcetype and the regex from above

0 Karma
Reply

a212830
Champion
‎02-12-2014 06:33 PM

That would go in the search?

0 Karma
Reply

asimagu
Builder
‎02-12-2014 06:32 PM

just edited the answer above, try that and let me know how it goes 😉

0 Karma
Reply

a212830
Champion
‎02-12-2014 06:23 PM

OK. Thanks.

So, the first one is pre-populated by Splunk, as the message has key-value pairs:

2014-02-12T20:56:39.122238-05:00 myhost Juniper: id=firewall time="2014-02-12 20:56:39" pri=6 fw=1.2.3.4 vpn=ive user=a123456 realm="Siteminder"

The second one does not have key value pairs:

2014-02-12T17:28:38.796343-05:00 myhost1 Juniper: 2014-02-12 17:28:39 - ive - [9.8.7.6] A666666(Siteminder)[TSO - Web Access (LAN)] - WebRequest completed

So, I need both the a123456 and the A66666 values.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...