Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I extract these file names that are in the same event?

daniel333
Builder
‎04-16-2018 12:42 PM

Hi all,

I have a file that looks like this - 

Added files:
added: /etc/addedthisfile
added: /etc/cron.daily/tripwire-check
added: /etc/tripwire

How can field extract added=*?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-16-2018 01:36 PM

In search you can do like this (in-line field extraction: extracting field 'Files' as multivalued field which contains all paths)

your base search | rex max_match=0 "added: (?<Files>\S+)"

To do that automatically (saved field extraction), you can follow this

https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/ConfigureSplunktoparsemulti-valuefields
OR
https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Exampleconfigurationsusingfieldtransfor...

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-16-2018 01:36 PM

In search you can do like this (in-line field extraction: extracting field 'Files' as multivalued field which contains all paths)

your base search | rex max_match=0 "added: (?<Files>\S+)"

To do that automatically (saved field extraction), you can follow this

https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/ConfigureSplunktoparsemulti-valuefields
OR
https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Exampleconfigurationsusingfieldtransfor...

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...