Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction

Sheela
Path Finder
‎09-19-2011 02:34 PM

I want to create report for events whose field names haven't been extracted. I have SSH logs of the format "Accepted publickey for user XYZ" , "Accepted publickey for user ABC" and so on. I want to collect statistics for XYZ and other users. When I test an extraction, I get a javascript error on page which says invalid argument. Even if I save a field extraction, I'm not able to use it in my search. Can someone please tell me how to go about it?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MarioM
Motivator
‎09-19-2011 10:48 PM

I am not sure why you getting java script error maybe an issue with your browser...

There are several methods to extract fields:

First i usually use erex to see what regex will catch my field values:

... | erex user examples="XYZ, ABC" counterexamples="99/2"

Then it will give me a regex which i would use in rex command:

... | rex field=_raw "Accepted\spublickey\sfor\suser\s(?<user>.*[^\s]) "

Then I Use the Field extractions page in Manager.

Here you will find all the methods to extract fields : Fields and field extractions

View solution in original post

Reply
Solved! Jump to solution
Solution

MarioM
Motivator
‎09-19-2011 10:48 PM

I am not sure why you getting java script error maybe an issue with your browser...

There are several methods to extract fields:

First i usually use erex to see what regex will catch my field values:

... | erex user examples="XYZ, ABC" counterexamples="99/2"

Then it will give me a regex which i would use in rex command:

... | rex field=_raw "Accepted\spublickey\sfor\suser\s(?<user>.*[^\s]) "

Then I Use the Field extractions page in Manager.

Here you will find all the methods to extract fields : Fields and field extractions

Reply
Solved! Jump to solution

Sheela
Path Finder
‎09-21-2011 08:43 AM

That worked perfectly! Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...