Splunk Search

How do extract fields beginning from the end of a line.

laurensv
Path Finder

Hello,

I have a simple request 🙂 For a certain syslog source, I need to extract the 3rd word beginning from the end of a line. That's all. In a regular regex, the following works:

(\S*)[ ]\S*[ ]\S*$

And this matches correctly the SEVERE_ERROR and NORMAL_EVENT on the following lines:

Nov 25 13:55:04 x.x.x.x Nov 25 13:55:01 ProxySG: 310000 CFSSL:SSL_accept error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca(0) SEVERE_ERROR ../cf_ssl.cpp 1573
Nov 25 13:47:49 x.x.x.x Nov 25 13:47:47 ProxySG: 90000 NTP: Periodic query of server x.x.x.x, time within acceptable variance, 0 seconds, 8 ms fast compared to NTP time.(0) NORMAL_EVENT ../ntp.cpp 683

However, how do I translate this into Splunk? When I try the Interactive Field Extractor, it always wants to start from the beginning of a line and I can't seem to get the correct Splunked regex for this field 😞

Any help is greatly appreciated 😉

Tags (1)
0 Karma
1 Solution

ziegfried
Influencer

You can add the regex-extraction to the props.conf file. Eg. $SPLUNK_HOME/etc/system/local/props.conf or in the app you want that extraction $SPLUNK_HOME/etc/apps/<app>/local/props.conf

[syslog]
EXTRACT-some-fields = ProxySG.+\s+(?<severity>\w+) (?<source_file>\S+) (?<line_no>\d+)$

severity, source_file and line_no are the example field names. Splunk uses PCRE named groups to define the fieldname for extractions.

View solution in original post

0 Karma

ziegfried
Influencer

You can add the regex-extraction to the props.conf file. Eg. $SPLUNK_HOME/etc/system/local/props.conf or in the app you want that extraction $SPLUNK_HOME/etc/apps/<app>/local/props.conf

[syslog]
EXTRACT-some-fields = ProxySG.+\s+(?<severity>\w+) (?<source_file>\S+) (?<line_no>\d+)$

severity, source_file and line_no are the example field names. Splunk uses PCRE named groups to define the fieldname for extractions.

0 Karma

laurensv
Path Finder

Done & thanks again 😉

0 Karma

ziegfried
Influencer

You might want to accept the answer, if it was helpful 😉

0 Karma

laurensv
Path Finder

Thank You! That did the trick 😉

0 Karma

ziegfried
Influencer

I've modified the regex. This one should work.

0 Karma

laurensv
Path Finder

I appreciate your help very much ;), but this does not seem to work...
While source_file and line_no are correctly extracted, I get "T" & "R" as severity in my log files. These correspond to the last letter of NORMAL_EVENT and SEVERE_ERROR respectively...

0 Karma
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...