Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to break an incoming event into searchable fields?

lennys26
Communicator
‎09-08-2014 07:40 AM

I am struggling to figure out how to break an incoming event into [searchable] fields and am hoping someone could point me in the right direction.

See my data below which is received as you see it and without an index line, per se. I have been reading the online docs, answers, investigating props.conf and playing with regex to pull out the data fields, but am not getting anywhere. Can someone assist?

The fields that I want to utilze are from "INCATOT" through "MIDFAIL" and the corresponding values are "31614" through "0", however initially I could work with a smaller set of fields. I presume that I could use the "INCATOT" -> "MIDFAIL" text as the log index, but I really could use some assistance here.

Thanks in advance.

AMSTNLA201A CM           OMPR201 SEP08 15:16:04 3202 INFO OM REPORT 
    CLASS:   LCR_OM
    START:2014/09/08 15:00:00 MON; STOP: 2014/09/08 15:15:00 MON;
    SLOWSAMPLES:         9 ; FASTSAMPLES:         90 ;

    TRK
          KEY (COMMON_LANGUAGE_NAME)
          INFO (OM2TRKINFO)
             INCATOT   PRERTEAB     INFAIL    NATTMPT   NOVFLATB      GLARE    OUTFAIL    DEFLDCA       DREU       PREU
                 TRU        SBU        MBU   OUTMTCHF    CONNECT     TANDEM        AOF        ANF       TOTU     ANSWER
             ACCCONG   NOANSWER   INANSWER    OUTANSU     INANSU    MIDFAIL

         --------------------------------------------------------------------------------------------------------------
               31614         31         84      35822       1351          4         16          0          0          0
              116631          0        397          0      34402      34255          0          0     117028      26421
                   0          0          0          0          0          0
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lennys26
Communicator
‎10-30-2014 01:54 PM

I just wanted to post what I have ended up using as the solution.

| rex field=_raw "-+[^\\d]+(?<INCATOT>[^ ]+)\\s+(?<PRERTEAB>[^ ]+)\\s+(?<INFAIL>[^ ]+)\\s+(?<NATTMPT>[^ ]+)\\s+(?<NOVFLATB>[^ ]+)\\s+(?<GLARE>[^ ]+)\\s+(?<OUTFAIL>[^ ]+)\\s+(?<DEFLDCA>[^ ]+)\\s+(?<DREU>[^ ]+)\\s+(?<PREU>[^ ]+)\\s+(?<TRU>[^ ]+)\\s+(?<SBU>[^ ]+)\\s+(?<MBU>[^ ]+)\\s+(?<OUTMTCHF>[^ ]+)\\s+(?<CONNECT>[^ ]+)\\s+(?<TANDEM>[^ ]+)\\s+(?<AOF>[^ ]+)\\s+(?<ANF>[^ ]+)\\s+(?<TOTU>[^ ]+)\\s+(?<ANSWER>[^ ]+)\\s+(?<ACCCONG>[^ ]+)\\s+(?<NOANSWER>[^ ]+)\\s+(?<INANSWER>[^ ]+)\\s+(?<OUTANSU>[^ ]+)\\s+(?<INANSU>[^ ]+)\\s+(?<MIDFAIL>[^ ]+)"

View solution in original post

Reply
Solved! Jump to solution
Solution

lennys26
Communicator
‎10-30-2014 01:54 PM

I just wanted to post what I have ended up using as the solution.

| rex field=_raw "-+[^\\d]+(?<INCATOT>[^ ]+)\\s+(?<PRERTEAB>[^ ]+)\\s+(?<INFAIL>[^ ]+)\\s+(?<NATTMPT>[^ ]+)\\s+(?<NOVFLATB>[^ ]+)\\s+(?<GLARE>[^ ]+)\\s+(?<OUTFAIL>[^ ]+)\\s+(?<DEFLDCA>[^ ]+)\\s+(?<DREU>[^ ]+)\\s+(?<PREU>[^ ]+)\\s+(?<TRU>[^ ]+)\\s+(?<SBU>[^ ]+)\\s+(?<MBU>[^ ]+)\\s+(?<OUTMTCHF>[^ ]+)\\s+(?<CONNECT>[^ ]+)\\s+(?<TANDEM>[^ ]+)\\s+(?<AOF>[^ ]+)\\s+(?<ANF>[^ ]+)\\s+(?<TOTU>[^ ]+)\\s+(?<ANSWER>[^ ]+)\\s+(?<ACCCONG>[^ ]+)\\s+(?<NOANSWER>[^ ]+)\\s+(?<INANSWER>[^ ]+)\\s+(?<OUTANSU>[^ ]+)\\s+(?<INANSU>[^ ]+)\\s+(?<MIDFAIL>[^ ]+)"
Reply
Solved! Jump to solution

HansK
Path Finder
‎09-19-2014 05:15 AM

This will do the trick:

 [\n\r].*--\s*(?<INCATOT>[0-9]*)\s*(?<PRERTEAB>[0-9]*)\s*(?<INFAIL>[0-9]*)\s*(?<NATTMPT>[0-9]*)\s*(?<NOVFLATB>[0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)
0 Karma
Reply
Solved! Jump to solution

lennys26
Communicator
‎09-08-2014 08:11 AM

The field names (INCATOT to MIDFAIL) are fixed.

0 Karma
Reply
Solved! Jump to solution

kml_uvce
Builder
‎09-08-2014 08:00 AM

you can do like this.
1)if your events are having fixed INCATOT to MIDFAIL then break your event starting from INCATOT
2)if your events are not having then break events starting from digit newline then word

Then you can extract fields by using regex.

kamal singh bisht
0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎09-08-2014 07:52 AM

Is the sequence of your field names (INCATOT to MIDFAIL) fixed? Or can it change from event to event?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...