Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting fields for a report with regex not working

henrikb
New Member
‎09-16-2010 06:58 AM

Hi

I'm trying to "extract fields" with regular expressions for a specific position on a comma separated log file that always has the same number of fields on each row.

The file looks like this (one row):

2010-09-15 15:38:55 ,Default_TCr10.20_Webb.war,,ODRTEST01,HTTP,37,1,0,37,37,1,2010-09-15 15:33:50 ,2010-09-15 15:38:50 ,0,4.969857,0,0,0,2010-09-15 15:33:50,0

It's separated in 20 fields.

Lets say that I want the field at position 15 i.e. 4.969857 The problem for me how to solve this is that the fields after and before can be '', '0' or 'a date-time' and I can't get | (pipe) and parenthesis to work.

Is it possible solve in Splunk?

I'm using version 4.1.3.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎09-16-2010 07:25 AM

If your events always have those 20 fields separated by commas, you should use a delimiter-based field extraction, as described here in the Knowledge Manual :

http://www.splunk.com/base/Documentation/latest/Knowledge/Createandmaintainsearch-timefieldextractio...

In your case, the following steps should work.

1 - Define the delimiter-based field extraction in $SPLUNK_HOME/etc/system/local/transforms.conf

[delimiter_based_extraction] 
DELIMS = "," 
FIELDS = field1, field2, field3, field4, field5, field6, field7, field8, field9, field10, field11, field12, field13, field14, field15, field16, field17, field18, field19, field20

2 - Call that extraction for the desired spec (source, sourcetype or host) in $SPLUNK_HOME/etc/system/local/props.conf

[my_sourcetype]
REPORT-delims = delimiter_based_extraction

The fields defined for extraction should now appear in the field picker.

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎09-16-2010 07:25 AM

If your events always have those 20 fields separated by commas, you should use a delimiter-based field extraction, as described here in the Knowledge Manual :

http://www.splunk.com/base/Documentation/latest/Knowledge/Createandmaintainsearch-timefieldextractio...

In your case, the following steps should work.

1 - Define the delimiter-based field extraction in $SPLUNK_HOME/etc/system/local/transforms.conf

[delimiter_based_extraction] 
DELIMS = "," 
FIELDS = field1, field2, field3, field4, field5, field6, field7, field8, field9, field10, field11, field12, field13, field14, field15, field16, field17, field18, field19, field20

2 - Call that extraction for the desired spec (source, sourcetype or host) in $SPLUNK_HOME/etc/system/local/props.conf

[my_sourcetype]
REPORT-delims = delimiter_based_extraction

The fields defined for extraction should now appear in the field picker.

Reply
Solved! Jump to solution

henrikb
New Member
‎09-17-2010 08:36 AM

Thanks, this will work for me.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...