Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I extract these file names that are in the same event?

daniel333
Builder
‎04-16-2018 12:42 PM

Hi all,

I have a file that looks like this - 

Added files:
added: /etc/addedthisfile
added: /etc/cron.daily/tripwire-check
added: /etc/tripwire

How can field extract added=*?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-16-2018 01:36 PM

In search you can do like this (in-line field extraction: extracting field 'Files' as multivalued field which contains all paths)

your base search | rex max_match=0 "added: (?<Files>\S+)"

To do that automatically (saved field extraction), you can follow this

https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/ConfigureSplunktoparsemulti-valuefields
OR
https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Exampleconfigurationsusingfieldtransfor...

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-16-2018 01:36 PM

In search you can do like this (in-line field extraction: extracting field 'Files' as multivalued field which contains all paths)

your base search | rex max_match=0 "added: (?<Files>\S+)"

To do that automatically (saved field extraction), you can follow this

https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/ConfigureSplunktoparsemulti-valuefields
OR
https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Exampleconfigurationsusingfieldtransfor...

Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...