Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do extract fields beginning from the end of a line.

laurensv
Path Finder
‎11-25-2010 02:59 PM

Hello,

I have a simple request 🙂 For a certain syslog source, I need to extract the 3rd word beginning from the end of a line. That's all. In a regular regex, the following works:

(\S*)[ ]\S*[ ]\S*$

And this matches correctly the SEVERE_ERROR and NORMAL_EVENT on the following lines: 

Nov 25 13:55:04 x.x.x.x Nov 25 13:55:01 ProxySG: 310000 CFSSL:SSL_accept error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca(0) SEVERE_ERROR ../cf_ssl.cpp 1573
Nov 25 13:47:49 x.x.x.x Nov 25 13:47:47 ProxySG: 90000 NTP: Periodic query of server x.x.x.x, time within acceptable variance, 0 seconds, 8 ms fast compared to NTP time.(0) NORMAL_EVENT ../ntp.cpp 683

However, how do I translate this into Splunk? When I try the Interactive Field Extractor, it always wants to start from the beginning of a line and I can't seem to get the correct Splunked regex for this field 😞

Any help is greatly appreciated 😉

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎11-25-2010 04:43 PM

You can add the regex-extraction to the props.conf file. Eg. $SPLUNK_HOME/etc/system/local/props.conf or in the app you want that extraction $SPLUNK_HOME/etc/apps/<app>/local/props.conf

[syslog]
EXTRACT-some-fields = ProxySG.+\s+(?<severity>\w+) (?<source_file>\S+) (?<line_no>\d+)$

severity, source_file and line_no are the example field names. Splunk uses PCRE named groups to define the fieldname for extractions.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎11-25-2010 04:43 PM

You can add the regex-extraction to the props.conf file. Eg. $SPLUNK_HOME/etc/system/local/props.conf or in the app you want that extraction $SPLUNK_HOME/etc/apps/<app>/local/props.conf

[syslog]
EXTRACT-some-fields = ProxySG.+\s+(?<severity>\w+) (?<source_file>\S+) (?<line_no>\d+)$

severity, source_file and line_no are the example field names. Splunk uses PCRE named groups to define the fieldname for extractions.

0 Karma
Reply
Solved! Jump to solution

laurensv
Path Finder
‎11-26-2010 02:37 PM

Done & thanks again 😉

0 Karma
Reply
Solved! Jump to solution

ziegfried
Influencer
‎11-26-2010 02:16 PM

You might want to accept the answer, if it was helpful 😉

0 Karma
Reply
Solved! Jump to solution

laurensv
Path Finder
‎11-26-2010 01:51 PM

Thank You! That did the trick 😉

0 Karma
Reply
Solved! Jump to solution

ziegfried
Influencer
‎11-26-2010 12:07 PM

I've modified the regex. This one should work.

0 Karma
Reply
Solved! Jump to solution

laurensv
Path Finder
‎11-26-2010 11:28 AM

I appreciate your help very much ;), but this does not seem to work...
While source_file and line_no are correctly extracted, I get "T" & "R" as severity in my log files. These correspond to the last letter of NORMAL_EVENT and SEVERE_ERROR respectively...

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...