Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fields extraction in file with single and multiline logs

clementros
Path Finder
‎02-13-2019 07:41 AM

Hi,

I'm new in splunk. I currently want to analyse a log file. I'm facing issues to extract informations because each lines contain different informations. The file contain single and multiline logs.

Here is an example of the log file :

I want to extract generale information like the timestamp (2019-02-08 00:40:03) and the status (INFO|TRACE or other message).

And i also want to be able to extract other infromations in each log line.

Thanks for your help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-13-2019 04:57 PM

If the log file was onboarded properly, Splunk will be breaking the file into events every time there is a timestamp at the beginning of the line and this timestamp will be put into the _time field. So there is no reason to extract the timestamp again. If you need it presented in a different way, just do | eval timestamp=strftime(_time, "Your Time Format Here") To get the other fields, you just need to create appropriate RegEx strings. For example, you can do this:

| . rex "[\r\n\s]+\[TRACE]\s+Reason\s+{\s+(?<Reason>[^\r\n]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-13-2019 04:57 PM

If the log file was onboarded properly, Splunk will be breaking the file into events every time there is a timestamp at the beginning of the line and this timestamp will be put into the _time field. So there is no reason to extract the timestamp again. If you need it presented in a different way, just do | eval timestamp=strftime(_time, "Your Time Format Here") To get the other fields, you just need to create appropriate RegEx strings. For example, you can do this:

| . rex "[\r\n\s]+\[TRACE]\s+Reason\s+{\s+(?<Reason>[^\r\n]+)"
0 Karma
Reply
Solved! Jump to solution

clementros
Path Finder
‎02-13-2019 11:59 PM

Thanks for your answer 🙂

So i need to build a regex for every field extraction ?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-14-2019 12:03 AM

Either that or you need to clip out all of the extra junk to reconstruct the original JSON and pass it to spath.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...