I have a syslog feed from two servers, that use a different format. The first feed has a nice key-value pair, and the field (user) is automatically created by Splunk. The second one has the field value, but I need to create the field (which I can do). How can I report on both of them as the "user" field and get a count of the number of times for each value?
Just create your field extraction as usual. If you require any help with that we need to see a sample from your log. You can create several conditions for field extractions so two different formats is not a problem
about the stat you want: stats count by user
Try this field extraction:
sorry, I assumed you knew how to create a field extraction. There are two ways: using the Manager or doing an inline extraction
Inline extraction, you need to pipe this in the search:
| rex field=_raw "<the regular expression from above"
Using the manager:
Create field extractions -> New Extraction -> Complete the form with the sourcetype and the regex from above
So, the first one is pre-populated by Splunk, as the message has key-value pairs:
2014-02-12T20:56:39.122238-05:00 myhost Juniper: id=firewall time="2014-02-12 20:56:39" pri=6 fw=184.108.40.206 vpn=ive user=a123456 realm="Siteminder"
The second one does not have key value pairs:
2014-02-12T17:28:38.796343-05:00 myhost1 Juniper: 2014-02-12 17:28:39 - ive - [220.127.116.11] A666666(Siteminder)[TSO - Web Access (LAN)] - WebRequest completed
So, I need both the a123456 and the A66666 values.