Splunk Enterprise

Regarding extracting show source code from an event

animeshkmr54
Observer

I want to know how can I extract show source code from event action type. I tried using _raw and and rex command. I even tried using sed and regex but didn't work. 

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Could you be more specific, please?  It would help if you shared some sample events and highlighted what you wish to extract.

---
If this reply helps you, Karma would be appreciated.
0 Karma

animeshkmr54
Observer

Like when I go and search for "flooded" I get this result. 

animeshkmr54_0-1603355424920.png

 

Then I click on "Event Actions -> Show Source". I get the source code :

09/11/2020 18:08:27.800:   Packets, Since Reset.......Arrived...........:   10136523
09/11/2020 18:08:27.800:                              Serviced..........:   10069227
09/11/2020 18:08:27.800:                              Flooded...........:     129995
09/11/2020 18:08:27.800:                              Dropped...........:      67296
09/11/2020 18:08:27.800:            This Period.......Arrived...........:     115629
09/11/2020 18:08:27.800:                              Serviced..........:     111948
09/11/2020 18:08:27.800:                              Flooded...........:       8676
09/11/2020 18:08:27.800:                              Dropped...........:       3681
09/11/2020 18:08:27.801:   Flood Queue................Shape.............:       LIFO
09/11/2020 18:08:27.801:                              Max Configured....:        350
09/11/2020 18:08:27.801:                              High Since Reset..:        350
09/11/2020 18:08:27.801:                              High This Period..:        350
09/11/2020 18:08:27.801:   Thread Pool................Max Configured....:        250
09/11/2020 18:08:27.801:                              High Since Reset..:        250
09/11/2020 18:08:27.801:                              High This Period..:        250
09/11/2020 18:08:27.801:         In Flood Queue.......Max Configured....:        125
09/11/2020 18:08:27.802:                              High Since Reset..:        125

 

So I want to know the command so that I can extract this source code as a single event or so. 

0 Karma
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...