Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field Extraction

visa87
Explorer
‎01-06-2015 09:59 PM

Hi,

I am trying to read some systemout log files and extract data from it.
Sample info in the log is as below :

Field1 Accept Indicator :: true
Field1 Accept Indicator :: false
Field2 Accept Indicator :: true
Field2 Accept Indicator :: false
Total Time Taken by ReqA****156
etc

I am new to Splunk and not sure what is the correct approach to get these fields extracted..
I tried using the regex generated by Field Extraction but it does not give accurate results.

Can anyone help me with the regex as well?

Tags (2)
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-08-2015 01:08 AM

For understanding the difference between having your extractions in props.conf vs transforms.conf, reading through the spec file for props.conf can be quite englightening:

http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/Propsconf

Defining new search-time field extractions. You can define basic search-time field
extractions entirely through props.conf. But a transforms.conf component is required if
you need to create search-time field extractions that involve one or more of the following:
* Reuse of the same field-extracting regular expression across multiple sources,
source types, or hosts.
* Application of more than one regex to the same source, source type, or host.
* Delimiter-based field extractions (they involve field-value pairs that are
separated by commas, colons, semicolons, bars, or something similar).
* Extraction of multiple values for the same field (multivalued field extraction).
* Extraction of fields with names that begin with numbers or underscores.

Reply

visa87
Explorer
‎01-07-2015 08:49 PM

Thanks... That helped. But I dont understand what can be achieved by adding these regex to transforms.

0 Karma
Reply

abacus_machine_
Engager
‎01-08-2015 12:44 AM

Then you can accept the answer which helped you.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-06-2015 10:59 PM

You can do regex as follows:

.. | rex field=_raw "Field1.*\:\:\s(?<f1_value>\w+)"

That would get this for Field1, you can modify for each field, assuming this is a single line event.

For the total time event-

.. | rex field=_raw "ReqA(?<time_value>\d+)"

Again, these are for single line events. You can drop those regex's into props.conf or transforms for your sourcetime and extract them there.

Reply

visa87
Explorer
‎01-06-2015 10:46 PM

I want to extract the time taken as a field and the numeric value as the value for tat field. Similarly I want Field 1 Accept Indicator as a field F1 which can either have true or false as value

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-06-2015 10:04 PM

First off, let us know what fields you want to extract, and what the values in your representative data looks like.. Then we can help!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...