Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting from log file

nravichandran
Communicator
‎07-15-2016 04:56 PM

I have the following custom log file

2016-07-15_05:58:57.5857-est label="adbcf" lastmodifiedtime="2016-07-15_05:58:57.5857-est" filename="13948.xml" directory="d:\temp" operation="deleted" size_in_bytes=434493
2016-07-15_17:57:18.5718-est monitor_label="abcd" lastmodifiedtime="2016-07-15_17:57:18.5718-est" filename="late123" directory="d:\temp" operation="created" size_in_bytes=673639

I am able to ingest into Splunk, however when i search for operation="deleted" i did not get the result.
when i search with "deleted" i am able to get the result. operation="created" returns results.
In the interesting field it only shows "created" value for operation even though both created and deleted are present in the results.

Is there anything that could be done in the custom log differently to make Splunk include the "deleted"
| timechart span=1h count by operation gives only created and ignores deleted.

Thanks in advance.

0 Karma
Reply

sundareshr
Legend
‎07-15-2016 06:33 PM

You could extract it in your search

    ... |  rex "operation=\"(?<operation>\w+)" | timechart span=1h count by operation

You could also add this rex in the Field Extraction UI to make this field available to every search.'

Reply

Raschko
Communicator
‎07-15-2016 07:26 PM

Please try the following rex command:

| rex max_match=0 "operation=\"(?<operation>[^\"]*?)\""

Do you still have one result with a multivalue "operation" field?

0 Karma
Reply

nravichandran
Communicator
‎07-18-2016 10:20 AM

I was able to figure out the rex. The following works! Thanks everyone.

rex field=_raw "(?ms)^(?:[^\"\n]*\"){9}(?P\w+)"

0 Karma
Reply

nravichandran
Communicator
‎07-15-2016 06:47 PM

index=... | rex "operation=\"(?\w+)" | table operation returns - created only eventhough deleted is present.

0 Karma
Reply

sundareshr
Legend
‎07-15-2016 07:24 PM

Try this regex then

 ... |  rex "(?<operation>deleted|created)" | timechart span=1h count by operation
0 Karma
Reply

nravichandran
Communicator
‎07-15-2016 06:50 PM

One more information i want to share. Since the logs are generating at the same time will it have any effect?

7/15/16
9:44:52.445 PM

2016-07-15_21:44:52.4452-est monitor_label="aaai" lastmodifiedtime="2016-07-15_21:44:52.4452-est" filename="late3.new" directory="d:\tesb11" operation="created" size_in_bytes=9457
2016-07-15_09:44:52.4452-est monitor_label="sssi" lastmodifiedtime="2016-07-15_09:44:52.4452-est" filename="113626.xml" directory="d:\testemp" operation="deleted" size_in_bytes=316005

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-15-2016 06:30 PM

I am not sure, but, pls search using the index name...

index=indexname "created"

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...