Splunk Search

Creating an interesting field?

cruzalan90
Explorer

I have a log set up as: timestamp, user account, query

Splunk is not identifying the second column as 'user account' mostly because there isn't anything to identify it as a user account (no column title)....is there anyway to make Splunk read this column so that it will show as an interesting field regardless of the value?

Log sample:
2013-05-13 15:00:00,000 C012345(user account #)
2013-05-13 15:00:00,000 C543210

Tags (3)
0 Karma
1 Solution

wrangler2x
Motivator

You should be able to accomplish this by reading this documentation:

http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime

You'll eventually want to create a field extract in the Manager. But before you do, use the rex command to create a field extract on-the-fly. The '...' in the example below represents your search, then just tack-on the rex. 'user_id' can be any name you want it to be.

... | rex "^(?:[^ ]* ){2}(?<user_id>[^ ]+)\s"

The first section skips the data and time fields, and the second part picks up the third field and assigns it to the field name 'user_id'. Then you can do the search, and look at your menu of field names, and click on the field to see what it is capturing.

Once you have this working that way you want it to, take everything inside the quotes for the rex and put it into a new field extract via the manager.

View solution in original post

0 Karma

wrangler2x
Motivator

You should be able to accomplish this by reading this documentation:

http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime

You'll eventually want to create a field extract in the Manager. But before you do, use the rex command to create a field extract on-the-fly. The '...' in the example below represents your search, then just tack-on the rex. 'user_id' can be any name you want it to be.

... | rex "^(?:[^ ]* ){2}(?<user_id>[^ ]+)\s"

The first section skips the data and time fields, and the second part picks up the third field and assigns it to the field name 'user_id'. Then you can do the search, and look at your menu of field names, and click on the field to see what it is capturing.

Once you have this working that way you want it to, take everything inside the quotes for the rex and put it into a new field extract via the manager.

0 Karma

cruzalan90
Explorer

What I meant by columns was referring to the actual logs.

  1. index = hrfarm | rex "^(?:[^ ]* ){2}(?[^ ]+)\s"

  2. 2013-05-13 17:32:26,962 C083363 /* GUID: C083363 */ select permission1_.PermissionId as col_0_0_ from...

Rex command works just not the correct position and when I change the position to either {1} or {3} its still not correct.

Interesting field "account_ID"
position {2} returns: GUID: or sometimes commands:
position {1} returns: 2013-05-13 17:32:26,962 C083363
position {3} returns: GUID: C083363 (close but I want the first account ID value)

0 Karma

wrangler2x
Motivator

As far as the rex goes, and in your example (2013-05-13 15:00:00,000 C012345) it is skipping 2013-05-13 and 15:00:00,000 and then picking up C012345 as a field extract under the label user_id. It does not affect the output of your search other than to make this field available by name, and then to appear under "Interesting Field(s)" unless you have selected it to appear in the "selected fields" list.

Splunk should automagically have figured out the date field and the time fields. timestartpos shows where it sees these beginning (should be zero) and timeendpos where it ends. Also date_ fields.

0 Karma

wrangler2x
Motivator

I don't understand what you mean by column 1, so let's start with you posting some more information.

  1. Let's see the actual search you are using.
  2. Let's see the search result (cut and paste) for one record.
  3. Let's see the raw data. To do this, on one record of the search result you click on the blue box with the white arrow to reveal a 3-item menu. Click on "show source" and then copy and paste the record that is highlighted.
0 Karma

cruzalan90
Explorer

Something is still not right.

The rex command is very close to what I'm looking for but it looks like timestamp and account ID are being identified as column 1.

Right now: 2013-05-13 15:00:00,000 C012345 = Column 1

Should be:
2013-05-13 15:00:00,000 = Column 1

C012345 = Column 2

I'm still fairly new to Splunk so what can I do to separate timestamp from account ID first before I can apply the rex command?

Thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...