Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to define a data filter in order to apply diff...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am new to Splunk Enterprise
Here is my problem:
I have a data source in the form of text files which contains two type of events, and each can be identified by a string
Ex :
line 1 : XXXX XX XXX ENVXXXXXXXXXXX
line 2 : XXXXXXXXXXORDXXXX XXX XXXXX
line 3 : XXXXXXXXXXORDXXXX XXX XXXXX
etc...
What I'm trying to do is to find a way to extract fields according to each type of event.
I've came up with two fields extractors, one for the line that contains "ENV", and one for "ORD", each contain a regex to extract the information I want.
However, I don't understand how to use them properly yet.
Is there a way to tell Splunk that if it finds lines that contains "ENV", then apply extractor X, otherwise extractor Y ?
Thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it depends on how you write your regular expression. In fact, I find this easiest to do by editing props.conf directly
[yoursourcetypehere]
EXTRACT-e1=^\d+\s\d+\s(?<field1>\d+)ENV
EXTRACT-e2=ORD(?<field2>\d{4})
With these extractions, only events that match the first pattern (which includes "ENV") will have field1, and only events that match the second pattern (including "ORD") will contain field2
You can make your regular expressions as complex as they need to be, in order to match exactly and only the data you want. Also, you can have a single EXTRACT line that extracts multiple fields at once. But I often find it is easier to write each field extraction separately, as I have done here, especially when the patterns are different.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it depends on how you write your regular expression. In fact, I find this easiest to do by editing props.conf directly
[yoursourcetypehere]
EXTRACT-e1=^\d+\s\d+\s(?<field1>\d+)ENV
EXTRACT-e2=ORD(?<field2>\d{4})
With these extractions, only events that match the first pattern (which includes "ENV") will have field1, and only events that match the second pattern (including "ORD") will contain field2
You can make your regular expressions as complex as they need to be, in order to match exactly and only the data you want. Also, you can have a single EXTRACT line that extracts multiple fields at once. But I often find it is easier to write each field extraction separately, as I have done here, especially when the patterns are different.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
