Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extracting fields doesn't extract the same information

jhilton90
Path Finder
‎07-05-2022 09:01 AM

I'm sorting through web traffic and I'm trying to extract what device users are using from the user agent. However, when I have highlighted the device and check the preview, it has highlighted some different devices like Windows, Macintosh, Linux. 

But it has also highlighted a lot of random strings of text that definitely aren't devices, and when I've looked through these, I can clearly see the device in that user agent that hasn't been highlighted.

Is there a way to make sure devices are being highlighted to be extracted and now random strings of text etc?

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-05-2022 09:09 AM

Hi @jhilton90,

are you using custom field extractions or the ones from a TA from Splunkbase?

If custom one, I hint to use the one for your technology from Splunkbase.

If instead you're using a TA from Splunkbase, the only way is to check one by one all the the regex extractions in the TA, but I cannot help you without the indication of what's the tecnology you're using and some sample of your logs.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...