Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field extraction

N92
Path Finder
‎10-03-2019 08:14 AM

Same sourcetype have two different patterns in that case how can I define field extractions? Because field extractions can work on the host, source or sourcetype only.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎10-04-2019 07:55 AM

Field extractions only work when they work.

I know that sounds ... rather dumb, but it's actually the case that it's that simple.

For instance, two log lines (I'm winging it - there's no date/times in here, they're just examples):

Mary clicked button "apply changes"
Martin exited screen "payment options"

First, I'd notice that you could easily do an extraction that would cover both (name, action, action_target) or something like that.

But, if you had one extraction like
(?<name>\S+)\s+clicked button\s+"(?<target>[^"]*)
and another
(?<name>\S+)\s+exited screen\s+"(?<target>[^"]*)
the first would only apply to the first message and the second to the second, because they're achored with text in the middle so they'll only match when they match.

The problem MAY come in that the field Extractor (the web page field extraction builder in the Splunk UI) doesn't build good enough extractions to always make this work right, but we can help with that if we had sample data (probably in another question).

And even if they overlapped, that's OK. It generally just works fine though you may end up with multivalued values or other interesting things depending on exactly how the extractions were done.

Happy Splunking!
-Rich

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎10-04-2019 07:55 AM

Field extractions only work when they work.

I know that sounds ... rather dumb, but it's actually the case that it's that simple.

For instance, two log lines (I'm winging it - there's no date/times in here, they're just examples):

Mary clicked button "apply changes"
Martin exited screen "payment options"

First, I'd notice that you could easily do an extraction that would cover both (name, action, action_target) or something like that.

But, if you had one extraction like
(?<name>\S+)\s+clicked button\s+"(?<target>[^"]*)
and another
(?<name>\S+)\s+exited screen\s+"(?<target>[^"]*)
the first would only apply to the first message and the second to the second, because they're achored with text in the middle so they'll only match when they match.

The problem MAY come in that the field Extractor (the web page field extraction builder in the Splunk UI) doesn't build good enough extractions to always make this work right, but we can help with that if we had sample data (probably in another question).

And even if they overlapped, that's OK. It generally just works fine though you may end up with multivalued values or other interesting things depending on exactly how the extractions were done.

Happy Splunking!
-Rich

0 Karma
Reply
Solved! Jump to solution

N92
Path Finder
‎10-21-2019 06:10 AM

Can I put this regex directly in transform.conf?

If yes then what would be format and dest key. I gone through the documentation but not able to clearly understand. Would be great, If you share some overview for that values.

0 Karma
Reply
Solved! Jump to solution

jpolvino
Builder
‎10-04-2019 07:49 AM

Can you please post a couple examples? If you want to do this on the fly (i.e., in a search), then the solution usually involves using a regular expression that uses group constructs along with "or" and quantifiers.

0 Karma
Reply
Solved! Jump to solution

N92
Path Finder
‎10-21-2019 05:58 AM

I don't have handy that example. Will share soon. meanwhile could you give me reference for group constructs.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...