Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do One field extraction for similar sourcetypes?

NoSpaces
Contributor
‎08-04-2023 05:32 AM

Hello to everyone.

After reading the post linked down below, I tried to use the same approach for sourcetypes from Windows hosts.

https://community.splunk.com/t5/Splunk-Search/Applying-Field-Extractions-to-Several-Sourcetypes/m-p/...

To do it I used this regex like a sourcetype:
(?::){0}*WinEventLog

But it didn't work, and I think that I misunderstood something.
Is anyone able to explain to me what was wrong?

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-10-2023 12:38 AM

Hi

I think that your "regex" should be 

(?::){0}WinEventLog*

as the changing part is in the end of ST name.

r. Ismo 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-10-2023 12:38 AM

Hi

I think that your "regex" should be 

(?::){0}WinEventLog*

as the changing part is in the end of ST name.

r. Ismo 

0 Karma
Reply
Solved! Jump to solution

NoSpaces
Contributor
‎08-10-2023 01:03 AM

Thank you for your answer
I tried this one before posting the question, but it didn't work
Now, after I removed another extraction rules for each sourcetype, I decided to give it one more try
And now it's working as expected
I feel myself like dumm but happy 😃

0 Karma
Reply
Solved! Jump to solution

NoSpaces
Contributor
‎08-10-2023 12:26 AM

Up

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-04-2023 06:52 AM

What is your usecase (it could be that the other post does not apply for you)?

0 Karma
Reply
Solved! Jump to solution

NoSpaces
Contributor
‎08-04-2023 07:39 AM

All sourcetypes from Windows EventLog start with "WinEventLog".
For example:

  • WinEventLog:Security
  • WinEventLog:System
  • WinEventLog:Application 
  • WinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational

It isn't necessary to use one extraction rule instead of per sourcetype because there aren't many different Windows sourcetypes in our production.
But I think that it's more convenient for me.

In my usecase I want to extract the Severity field, which I use for log coloring (global eventtype rule)
Below, you can see an example of a specific sourcetype:

[WinEventLog:Application]
EXTRACT-Severity = \sType=(?<Severity>\w+)

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...