Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do extract fields beginning from the end of a line.

laurensv
Path Finder
‎11-25-2010 02:59 PM

Hello,

I have a simple request 🙂 For a certain syslog source, I need to extract the 3rd word beginning from the end of a line. That's all. In a regular regex, the following works:

(\S*)[ ]\S*[ ]\S*$

And this matches correctly the SEVERE_ERROR and NORMAL_EVENT on the following lines: 

Nov 25 13:55:04 x.x.x.x Nov 25 13:55:01 ProxySG: 310000 CFSSL:SSL_accept error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca(0) SEVERE_ERROR ../cf_ssl.cpp 1573
Nov 25 13:47:49 x.x.x.x Nov 25 13:47:47 ProxySG: 90000 NTP: Periodic query of server x.x.x.x, time within acceptable variance, 0 seconds, 8 ms fast compared to NTP time.(0) NORMAL_EVENT ../ntp.cpp 683

However, how do I translate this into Splunk? When I try the Interactive Field Extractor, it always wants to start from the beginning of a line and I can't seem to get the correct Splunked regex for this field 😞

Any help is greatly appreciated 😉

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎11-25-2010 04:43 PM

You can add the regex-extraction to the props.conf file. Eg. $SPLUNK_HOME/etc/system/local/props.conf or in the app you want that extraction $SPLUNK_HOME/etc/apps/<app>/local/props.conf

[syslog]
EXTRACT-some-fields = ProxySG.+\s+(?<severity>\w+) (?<source_file>\S+) (?<line_no>\d+)$

severity, source_file and line_no are the example field names. Splunk uses PCRE named groups to define the fieldname for extractions.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎11-25-2010 04:43 PM

You can add the regex-extraction to the props.conf file. Eg. $SPLUNK_HOME/etc/system/local/props.conf or in the app you want that extraction $SPLUNK_HOME/etc/apps/<app>/local/props.conf

[syslog]
EXTRACT-some-fields = ProxySG.+\s+(?<severity>\w+) (?<source_file>\S+) (?<line_no>\d+)$

severity, source_file and line_no are the example field names. Splunk uses PCRE named groups to define the fieldname for extractions.

0 Karma
Reply
Solved! Jump to solution

laurensv
Path Finder
‎11-26-2010 02:37 PM

Done & thanks again 😉

0 Karma
Reply
Solved! Jump to solution

ziegfried
Influencer
‎11-26-2010 02:16 PM

You might want to accept the answer, if it was helpful 😉

0 Karma
Reply
Solved! Jump to solution

laurensv
Path Finder
‎11-26-2010 01:51 PM

Thank You! That did the trick 😉

0 Karma
Reply
Solved! Jump to solution

ziegfried
Influencer
‎11-26-2010 12:07 PM

I've modified the regex. This one should work.

0 Karma
Reply
Solved! Jump to solution

laurensv
Path Finder
‎11-26-2010 11:28 AM

I appreciate your help very much ;), but this does not seem to work...
While source_file and line_no are correctly extracted, I get "T" & "R" as severity in my log files. These correspond to the last letter of NORMAL_EVENT and SEVERE_ERROR respectively...

0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top