Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract variable number of fields

grist
New Member
‎09-19-2011 11:18 PM

I have a Smarts Audit Log that I am trying to do a search time field extraction for. Most of the lines are fairly regularly formatted using tabs (\t) as a seperator.

The problem I have is that while most of the lines have 8 fields, there are some that only have 5 and I'm not sure how to deal with that so they can all live happily in the same report. I've read a few of the suggested fixes but they seem to rely on there being a particular description field to tailor different regexes to different line formats. Mine just come up short if the fields aren't there.

Any suggestions or pointers gratefully accepted. 🙂

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎09-20-2011 01:11 PM

You can have multiple extractions occur against different types of events for a specific sourcetype. This is not uncommon. The key here is that you must find a way to differentiate the lines that only have 5 fields. If it is formatted differently, that will be pretty straightforward. If it is formatted with only delimiters, then you can create a regex that operates on 5 values instead of 8. Posting a data sample will allow others to help further.

0 Karma
Reply

grist
New Member
‎09-20-2011 05:41 PM

The only difference between the lines is the number of fields. They are all tab separated so it's pretty easy to split them with a regex.

I'll have a go with 2 regexes. I'm thinking I need to so something like what's described in the first answer to http://splunk-base.splunk.com/answers/23274/parsing-variable-fields-in-a-log-file but I'm not 100% on how to do it so all the results will show in the same search.

0 Karma
Reply

MarioM
Motivator
‎09-19-2011 11:21 PM

if you could post an example of your log that would be helpful

Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...