Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to define a data filter in order to apply different fields extractions for 2 different events from the same source?

dhantran
New Member
‎12-17-2015 02:40 AM

Hello,

I am new to Splunk Enterprise

Here is my problem:
I have a data source in the form of text files which contains two type of events, and each can be identified by a string
Ex : 

line 1 : XXXX XX XXX ENVXXXXXXXXXXX
line 2 : XXXXXXXXXXORDXXXX XXX XXXXX
line 3 : XXXXXXXXXXORDXXXX XXX XXXXX
etc...

What I'm trying to do is to find a way to extract fields according to each type of event.
I've came up with two fields extractors, one for the line that contains "ENV", and one for "ORD", each contain a regex to extract the information I want.
However, I don't understand how to use them properly yet.
Is there a way to tell Splunk that if it finds lines that contains "ENV", then apply extractor X, otherwise extractor Y ?

Thanks for your help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-17-2015 11:15 AM

Yes, it depends on how you write your regular expression. In fact, I find this easiest to do by editing props.conf directly

[yoursourcetypehere]
EXTRACT-e1=^\d+\s\d+\s(?<field1>\d+)ENV
EXTRACT-e2=ORD(?<field2>\d{4})

With these extractions, only events that match the first pattern (which includes "ENV") will have field1, and only events that match the second pattern (including "ORD") will contain field2

You can make your regular expressions as complex as they need to be, in order to match exactly and only the data you want. Also, you can have a single EXTRACT line that extracts multiple fields at once. But I often find it is easier to write each field extraction separately, as I have done here, especially when the patterns are different.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-17-2015 11:15 AM

Yes, it depends on how you write your regular expression. In fact, I find this easiest to do by editing props.conf directly

[yoursourcetypehere]
EXTRACT-e1=^\d+\s\d+\s(?<field1>\d+)ENV
EXTRACT-e2=ORD(?<field2>\d{4})

With these extractions, only events that match the first pattern (which includes "ENV") will have field1, and only events that match the second pattern (including "ORD") will contain field2

You can make your regular expressions as complex as they need to be, in order to match exactly and only the data you want. Also, you can have a single EXTRACT line that extracts multiple fields at once. But I often find it is easier to write each field extraction separately, as I have done here, especially when the patterns are different.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...