Splunk Search

Extract New Fields

bogdan_nicolesc
Communicator

Hi there,

 

I'm trying so hard to do a new field in Splunk, but i don't know where i do "wrongs".

I would like to extract "Log Closed" or just "Log" from event, but when i do, i get all kind of other results other than what i want.

I tried with extract and require.

On the extract end i get a mixed variety of results, most of them with no relation to what i look for.

On the require end, when i select all correct lines, i cannot press Next button as it is grayed out. And i have no other clue what to do next.

My question is: What path should i take to get "Log Closed" or just "Log" from the event "2021-11-18 02:19:04.291 - Thread: 1 -> Log Closed" to make a new field. I would like to make a new Field as i have a "Log Started" and a "Log Closed".

I tried even too look at the regex, but i understand none of it, exept i know that \n is new line.

The regex is: ^[^>\n]*>\s+(?P<LogClosed>\w+\s+\w+)

Thank you.

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
(?P<Log>Log (Started|Closed))

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Use regex101.com to test the regex - it gives you a breakdown of what the regex means

In your case, if you simply want a field called LogClosed with the value "Log Closed" in and you are not interested in any other string, you could simply use this regex

(?P<LogClosed>Log Closed)
0 Karma

bogdan_nicolesc
Communicator

Thank you very much @ITWhisperer.

Why is not showing this when checking the regex, but instead is showing me some mambo jumbo?

Also, how do i add "Log Started" to this (?P<LogClosed>Log Closed).

I tried something like this (?P<Log>Log Started)|(Log Closed) but i get only the "Log Started".

What i want in the end is to make a pivot of time when "event" occurred and  "Log Started" "Log Closed", and get a list of "Log Started" "Log Closed" listed by time ... if it makes sense to you what i want to describe.

 

So having 2 fields, one called "Log Started" and the other "Log Closed", i don't think is going to work. In my head i get a reference of windows logs where there are codes for various events. And that "code" have multiple numbers, but if i tell splunk what code should look for, works like a charm.

Anyway ... I hope i was clear enough to understand and i look forward for your reply. 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
(?P<Log>Log (Started|Closed))

bogdan_nicolesc
Communicator

Hi @ITWhisperer ,

 

Where or how do you learn this stuff?

I mean, i know there is info out there somewhere, but how do you put things together, or how do they say connect the dots.

 

I'm asking because even if i tried to use regex101.com, was not that obvious choise to use this form.

Anyway ... Thank you so much.

Where do i send beer? :))

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

regex101.com is a great resource - trial and error goes a long way for learning this stuff - you can probably find other resources too, https://www.regular-expressions.info/ has a pretty comprehensive tutorial for example.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...