How to extract field for irrelevant data log to in...

karthikeyan_k14 · ‎02-24-2017

Event Flow

(THREAD-XXXX) YYYY-MM-DD 15:53:38.486 - Server_Name flow step millis 32 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
(THREAD-XXXX) YYYY-MM-DD 15:53:38.508 - Server_Name flow step millis 22 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') (Server_Name,)
(THREAD-XXXX) YYYY-MM-DD 15:53:38.517 -  flow step millis 64 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
(THREAD-XXXX) YYYY-MM-DD 15:53:38.758 -  flow step millis 2 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
(THREAD-XXXX) YYYY-MM-DD 15:53:38.773 - Server_Name flow step millis 15 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
(THREAD-XXXX) YYYY-MM-DD 15:53:38.789 - Server_Name start flow ('IP reverse posting') (status: XXXX@XXX_004) (XXXXXXXXXXXXXXX)
(THREAD-XXXX) YYYY-MM-DD 15:53:38.791 - Server_Name flow step millis 1 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
(THREAD-XXXX) YYYY-MM-DD 15:53:38.793 - Server_Name flow step millis 2 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') - flow stops here
(THREAD-XXXX) YYYY-MM-DD 15:53:38.794 - Server_Name flow step millis 1 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')

can anyone, extract all fields at search time and would also like to extract a couple of fields?

may use Props.conf or Transforms.conf.

lguinn2 · ‎02-24-2017

In props.conf

EXTRACT-allfields= \(THREAD-(?<thread>\S+?)\) \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d+? - (?<server_name)\S+) (?<flow>\S+) (?<step>\S+) (?<millis>\S+) (?<numField>\d+) \('(?<message>\S+?)'\)

Be sure to put it all on one line in your props.conf

How to extract field for irrelevant data log to indexed?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability