Splunk Search

Field extraction

ChhayaV
Communicator

hi,

I want to extract a particular word and add it to a calculated field from a message field i have a share point server log

sample entries are

04/02/2013 00:41:51.82  w3wp.exe (0x2324)                           0x1D5C  SharePoint Foundation           General                         8e2r    Medium      Possible mismatch between the reported error with code = 0x81070504 and message: "There is no Web named "/IndiaAccountsCommunity/IndiaCommunityAccounts/Future Generali/_vti_bin/lists.asmx"." and the returned error with code 0x80070002. 104159c7-12e1-44b6-b4f5-5141ddaf3ea1
04/02/2013 00:35:32.94  OWSTIMER.EXE (0x0758)                       0x2CB8  SharePoint Foundation           Usage Infrastructure            bjb7    High        Call to WSS ImportEntries method with '65' entries failed for usage definition 'Microsoft.SharePoint.Administration.SPRequestUsageDefinition'. Entries will now be redirected to ULS logs (level=Verbose). Error message: An entry with the same key already exists.    3bb778c7-24f3-4d54-abcb-20069b71d953

it can be an error or ERROR or Error everything should be extracted as a single field
tried with regex,rex and eval match not able to do it.

thanks in advance

Tags (2)
0 Karma
1 Solution

jonuwz
Influencer
... | eval error=if(match(_raw,"(?i)ERROR"),"error", "OK") | table error _raw

Will create a field called error that contains either "error" or "OK" depending if the word "error" is anywhere in the message. This is NOT case sensitive.

View solution in original post

jonuwz
Influencer
... | eval error=if(match(_raw,"(?i)ERROR"),"error", "OK") | table error _raw

Will create a field called error that contains either "error" or "OK" depending if the word "error" is anywhere in the message. This is NOT case sensitive.

Ayn
Legend

What do you mean by calculated in this sense? A field is a field, regardless of how it was created. What calculated field are you talking about, and how do you mean that the error should be "added"?

0 Karma

ChhayaV
Communicator

i just want to extract a word "Error" from msg field and keep it in a calculated field.

0 Karma

kristian_kolb
Ultra Champion

It is not clear what you want to extract. Or how you wish to use/present the results.

regex is used for regex-based filtering of events, not for extraction of fields

eval requires that the fields you wish to operate on already exists.

rex is probably what you want (initially).

/K

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...