Splunk Cloud Platform

How to extract fields from _raw event?

iamsplunker
Communicator

Hi Splunkers, 

I'm trying to extract the fields from the raw event can you help if this can be done through rex or substr and provide examples if possible.

Sample Event

[August 28, 2023 7:22:45 PM EDT] APPLE Interface IF-abcef23fw2/31 [WAN14] Disabled (100%) Designate that a disabled port or surface is the root cause. This event can be circumvent by setting the SuppressDisabledAlerts to FALSE.

 

Expected new fields as follows 
1 ) Fruit = APPLE
2) Test = Interface IF-abcef23fw2/31 [WAN14] Disabled (100%)
3) Timestamp = August 28, 2023 7:22:45 PM EDT
4) Message = Interface IF-abcef23fw2/31 [WAN14] Disabled (100%) Designate that a disabled port or surface is the root cause. This event can be circumvent by setting the SuppressDisabledAlerts to FALSE.

 

Please Advise

Labels (3)
Tags (4)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Here is an example to get Fruit Timestamp and Message

| makeresults
| eval _raw="[August 28, 2023 7:22:45 PM EDT] APPLE Interface IF-abcef23fw2/31 [WAN14] Disabled (100%) Designate that a disabled port or surface is the root cause. This event can be circumvent by setting the SuppressDisabledAlerts to FALSE."
| rex "^\[(?<Timestamp>[^\]]*)\] (?<Fruit>\w+)\s+(?<Message>.*)"

it's impossible - without knowing more - to extract Test from Message

You could do this

| rex field=Message "(?<Test>.*100%\))"

but all that is doing is saying that Test will be extracted up to a string ending in 100%)

Does Test have any definining characteristics?

0 Karma

iamsplunker
Communicator

Thanks for your response @bowesmana 

To answer your question all I wanted to extract  is “Test” until 100% from “Interface”

the characteristics are

1)the event may have 30% or 40% instead of 100%

2) Instead of “Interface” it may have string like “Machine” or “Device”

lastly I wanted to save all these Rex as individual inline extractions 1) Fruit 2) Timestamp 3) Test 4) Message so that I don’t have to define |rex at search time.

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

So, the regex for the Test extraction is the first part of the message up to a % value, so use this, so it looks for one or more numbers before the %)

| rex field=Message "(?<Test>.*\d+%\))"

As for making them Field extractions, just define them in the field extractions/transforms section of the Fields menu - I think you will have to use 2 extractions as the Test is a subset of the Message, so will require a transform, unless you make 2 regexes to extract first 3 fields then just the Test field

 

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...