Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create custom fields from syslog?

Splunky21
Explorer
‎07-13-2022 09:52 AM

Hello, 

I have the following log:

Month date time, ip address, host, [system] 2022 194 16:15:14 X01: Freq error: phase start: -13.5 ns, phase end: +4.7 ns

I'm trying to create custom fields named "Start" and "End" that hold the positive and negative numerical values only, but I am fairly new to field extraction and can't seem to find a way to tie the values to "phase start" and "phase end" without having them included in the field....

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-13-2022 10:13 AM

I'd use the rex command for that.  In the regular expressions, use "phase start" and "phase end" to locate the desired fields, but keep those string out of the capture groups.

| rex "phase start: (?<phase_start>\S+)"
| rex "phase end: (?<phase_end>\S+)"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jotne
Builder
‎07-13-2022 01:06 PM

One regex would do and may be some faster:

 

| rex "phase start: (?<phase_start>\S+).*end: (?<phase_end>\S+)"

 

Tags (1)
0 Karma
Reply

Splunky21
Explorer
‎07-13-2022 10:28 AM

This worked! How would I go about saving these as permanent fields that I can create a table with in my search?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-13-2022 10:55 AM

I'm not sure what you mean by "permanent", but the fields are created by the rex commands and are available for use in the rest of the search.  The field names are inside angle brackets in the regular expressions (phase_start and phase_end).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...