I have fields in the format of LOG_ID
, DEVICE_DATA
, USERNAME
, that I'd like to extract, and I'd like to exclude the default Splunk fields like _time
, *_raw
, and timeendpos
, timestartpos
, etc. Is that possible to do through the regex
command? Can I chain that with table
somehow?
If you have "key=value" pairs, Splunk should be extracting them as a field by the name of "key" and the corresponding value "value".
You should be able to limit your searches by simply adding a the field = value as part of your search terms. (Example: "LOG_ID=12312")
If you are interested in displaying only certain fields in a table format, then piping into a table command and listing the fields you want is enough.
The data in the fields can contain anything, so I don't think I can do filtering based on that. An example would be LOG_ID=12312 DEVICE_DATA="random stuff" USERNAME="DAVIDTEST"
Can you update the quesiton with a specific example of the line you're extracting this data from? What data is in the "LOG_ID", "DEVICE_DATA", and "USERNAME" fields (numbers only, spaces, etc)?
No, the regex
command is used for filtering search results based on a regular expression. The rex
command is used for extracting fields out of events though. Including/excluding fields is done using the fields
command.
Based on your question it sounds like you should take a tour of how Splunk works. Field extractions are covered here: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime
And there's an excellent Splunk tutorial: http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial