Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract new fields in a log file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a sample content from my application log. I wish to extract the fields
"rib-rmq Status is STATE_ACTIVE.
Loading log4j.xml from jar:file:/appli/oretail/rib14/Rib1412ForAll14xxApps/rib-home/tools-home/rdmt_atgsup/lib/rdmt-14.1.2.jar!/log4j.xml
Executing command : JmxCommand(connect).
Attempting to Connect
Attempting to Connect
JMX URL :service:jmx:t3://PRDORAPRIR1:16110/jndi/weblogic.management.mbeanservers.domainruntime
JMX USer :weblogic
JMX ConnectionProvider Pkg :weblogic.management.remote
connected.
Previous command successful: JmxCommand(connect).
Executing command : JmxCommand(invoke).
invoke returned STATE_ACTIVE
Previous command successful: JmxCommand(invoke).
JMX request for rib-rms Managed Adapter Status...
**Managed Adapters detected: 62
Managed Adapters running : 38
Managed Adapters stopped : 24
Managed Adapters failed : 0*
invoke rib-rms:appName=rib-rms,level=application returnStatusForAll"*
I just want to create a table report that only shows
Detected 62
Running 38
Stopped 24
Failed 0
Ideally, All I want is look is, grep the lines starting at "Managed Adapters" filter from the _raw event and then create a new field using the Key and Value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to create field transformation using below parameters. Go to setting--> field-->field transformation--> create new field transformation say "abc".
REGEX = Managed Adapters\s*([^:]+):\s*(\d+)
FORMAT = $1:$2
Then create new field extraction, select uses transform option then refer abc over there
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to create field transformation using below parameters. Go to setting--> field-->field transformation--> create new field transformation say "abc".
REGEX = Managed Adapters\s*([^:]+):\s*(\d+)
FORMAT = $1:$2
Then create new field extraction, select uses transform option then refer abc over there
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response. I think format should be like this $1::$2, otherwise it is not saving. Unfortunately, I don't see the new fields when I query the events. Am I still missing something?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad yes you have to use $1::$2. Did you create field transformation and extraction both? Also try changing permission of field transformation and extraction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you want to extract the fields at index time or search time?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wish to extract at the search time
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
