Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field extraction of log file -- Each line has different format, how can I include all format in one regex?

samlinsongguo
Communicator
‎10-15-2017 08:14 PM

I am doing field extraction for a log file format as below:
line 1: field1, field2, field3, field4
line 2: field1, field2, field3, field5, field4
line 3: field1, field2, field3, field4

I can write separate regex1 for line 1 and regex 2 for line 2 format, but when I do field extraction, I can only use one regex, how can I put both regex in to cover all log format? Any suggestions?
Cheers
Sam

0 Karma
Reply

samlinsongguo
Communicator
‎10-18-2017 08:05 PM

Thank you for all the answers, what I am looking for is more on index / normalize the log when it injected rather than doing field extraction in the search query.

To achieve my goal, I end up have two field extraction Rex for this sourcetype, it seems give what I want. But I am wondering would that consume too much resource when I inject large mount of logs?

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎10-15-2017 09:56 PM

You can use something like the following (the rex command is the part you are interested in, and the rest is the setup for showing that it works) :

| makeresults 
| eval raw="line 1: field1, field2, field3, field4
line 2: field1, field2, field3, field5, field4
line 3: field1, field2, field3, field4" 
| makemv raw delim="
"
| mvexpand raw
| rex field=raw "[^:]+:\s*(?P<field1>[^,]+),\s*(?P<field2>[^,]+),\s*(?P<field3>[^,]+),\s*((?P<field5>[^,]+?),\s*?)?+\s*(?P<field4>[^,]+$)"

You will probably have to make adjustments for your actual data, but this should get you started on a complete solution.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-15-2017 08:32 PM

Please check -
sourcetype="multiplefields" | rex max_match=0 "(?<FIELDS>\S+)[\,|\n]" | table _raw FIELDS

you just want to pull all fields and make a table like this photo or some other operations you want to do, please clarify -
(PS- on the photo, one or two fields are not picked up, that is due to my sample file.)
alt text

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Preview file
61 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...