Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract variable number of fields

grist
New Member
‎09-19-2011 11:18 PM

I have a Smarts Audit Log that I am trying to do a search time field extraction for. Most of the lines are fairly regularly formatted using tabs (\t) as a seperator.

The problem I have is that while most of the lines have 8 fields, there are some that only have 5 and I'm not sure how to deal with that so they can all live happily in the same report. I've read a few of the suggested fixes but they seem to rely on there being a particular description field to tailor different regexes to different line formats. Mine just come up short if the fields aren't there.

Any suggestions or pointers gratefully accepted. 🙂

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎09-20-2011 01:11 PM

You can have multiple extractions occur against different types of events for a specific sourcetype. This is not uncommon. The key here is that you must find a way to differentiate the lines that only have 5 fields. If it is formatted differently, that will be pretty straightforward. If it is formatted with only delimiters, then you can create a regex that operates on 5 values instead of 8. Posting a data sample will allow others to help further.

0 Karma
Reply

grist
New Member
‎09-20-2011 05:41 PM

The only difference between the lines is the number of fields. They are all tab separated so it's pretty easy to split them with a regex.

I'll have a go with 2 regexes. I'm thinking I need to so something like what's described in the first answer to http://splunk-base.splunk.com/answers/23274/parsing-variable-fields-in-a-log-file but I'm not 100% on how to do it so all the results will show in the same search.

0 Karma
Reply

MarioM
Motivator
‎09-19-2011 11:21 PM

if you could post an example of your log that would be helpful

Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...