- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
I want to extract a particular word and add it to a calculated field from a message field i have a share point server log
sample entries are
04/02/2013 00:41:51.82 w3wp.exe (0x2324) 0x1D5C SharePoint Foundation General 8e2r Medium Possible mismatch between the reported error with code = 0x81070504 and message: "There is no Web named "/IndiaAccountsCommunity/IndiaCommunityAccounts/Future Generali/_vti_bin/lists.asmx"." and the returned error with code 0x80070002. 104159c7-12e1-44b6-b4f5-5141ddaf3ea1
04/02/2013 00:35:32.94 OWSTIMER.EXE (0x0758) 0x2CB8 SharePoint Foundation Usage Infrastructure bjb7 High Call to WSS ImportEntries method with '65' entries failed for usage definition 'Microsoft.SharePoint.Administration.SPRequestUsageDefinition'. Entries will now be redirected to ULS logs (level=Verbose). Error message: An entry with the same key already exists. 3bb778c7-24f3-4d54-abcb-20069b71d953
it can be an error or ERROR or Error everything should be extracted as a single field
tried with regex,rex and eval match not able to do it.
thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
... | eval error=if(match(_raw,"(?i)ERROR"),"error", "OK") | table error _raw
Will create a field called error that contains either "error" or "OK" depending if the word "error" is anywhere in the message. This is NOT case sensitive.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
... | eval error=if(match(_raw,"(?i)ERROR"),"error", "OK") | table error _raw
Will create a field called error that contains either "error" or "OK" depending if the word "error" is anywhere in the message. This is NOT case sensitive.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by calculated in this sense? A field is a field, regardless of how it was created. What calculated field are you talking about, and how do you mean that the error should be "added"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i just want to extract a word "Error" from msg field and keep it in a calculated field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is not clear what you want to extract. Or how you wish to use/present the results.
regex is used for regex-based filtering of events, not for extraction of fields
eval requires that the fields you wish to operate on already exists.
rex is probably what you want (initially).
/K
New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...
Splunk and Fraud
Build Your First SPL2 App!
