Splunk Search

Extract New Fields

bogdan_nicolesc
Communicator

Hi there,

 

I'm trying so hard to do a new field in Splunk, but i don't know where i do "wrongs".

I would like to extract "Log Closed" or just "Log" from event, but when i do, i get all kind of other results other than what i want.

I tried with extract and require.

On the extract end i get a mixed variety of results, most of them with no relation to what i look for.

On the require end, when i select all correct lines, i cannot press Next button as it is grayed out. And i have no other clue what to do next.

My question is: What path should i take to get "Log Closed" or just "Log" from the event "2021-11-18 02:19:04.291 - Thread: 1 -> Log Closed" to make a new field. I would like to make a new Field as i have a "Log Started" and a "Log Closed".

I tried even too look at the regex, but i understand none of it, exept i know that \n is new line.

The regex is: ^[^>\n]*>\s+(?P<LogClosed>\w+\s+\w+)

Thank you.

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
(?P<Log>Log (Started|Closed))

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Use regex101.com to test the regex - it gives you a breakdown of what the regex means

In your case, if you simply want a field called LogClosed with the value "Log Closed" in and you are not interested in any other string, you could simply use this regex

(?P<LogClosed>Log Closed)
0 Karma

bogdan_nicolesc
Communicator

Thank you very much @ITWhisperer.

Why is not showing this when checking the regex, but instead is showing me some mambo jumbo?

Also, how do i add "Log Started" to this (?P<LogClosed>Log Closed).

I tried something like this (?P<Log>Log Started)|(Log Closed) but i get only the "Log Started".

What i want in the end is to make a pivot of time when "event" occurred and  "Log Started" "Log Closed", and get a list of "Log Started" "Log Closed" listed by time ... if it makes sense to you what i want to describe.

 

So having 2 fields, one called "Log Started" and the other "Log Closed", i don't think is going to work. In my head i get a reference of windows logs where there are codes for various events. And that "code" have multiple numbers, but if i tell splunk what code should look for, works like a charm.

Anyway ... I hope i was clear enough to understand and i look forward for your reply. 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
(?P<Log>Log (Started|Closed))

bogdan_nicolesc
Communicator

Hi @ITWhisperer ,

 

Where or how do you learn this stuff?

I mean, i know there is info out there somewhere, but how do you put things together, or how do they say connect the dots.

 

I'm asking because even if i tried to use regex101.com, was not that obvious choise to use this form.

Anyway ... Thank you so much.

Where do i send beer? :))

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

regex101.com is a great resource - trial and error goes a long way for learning this stuff - you can probably find other resources too, https://www.regular-expressions.info/ has a pretty comprehensive tutorial for example.

0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...