Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract new fields in a log file

sarvan7777
New Member
‎04-12-2018 05:46 AM

Here is a sample content from my application log. I wish to extract the fields

"rib-rmq Status is STATE_ACTIVE.
Loading log4j.xml from jar:file:/appli/oretail/rib14/Rib1412ForAll14xxApps/rib-home/tools-home/rdmt_atgsup/lib/rdmt-14.1.2.jar!/log4j.xml
Executing command : JmxCommand(connect).
Attempting to Connect
Attempting to Connect
JMX URL :service:jmx:t3://PRDORAPRIR1:16110/jndi/weblogic.management.mbeanservers.domainruntime
JMX USer :weblogic
JMX ConnectionProvider Pkg :weblogic.management.remote
connected.
Previous command successful: JmxCommand(connect).
Executing command : JmxCommand(invoke).
invoke returned STATE_ACTIVE
Previous command successful: JmxCommand(invoke).
JMX request for rib-rms Managed Adapter Status...
**Managed Adapters detected: 62
Managed Adapters running : 38
Managed Adapters stopped : 24
Managed Adapters failed : 0*
invoke rib-rms:appName=rib-rms,level=application returnStatusForAll"*

I just want to create a table report that only shows

Detected 62
Running 38
Stopped 24
Failed 0

Ideally, All I want is look is, grep the lines starting at "Managed Adapters" filter from the _raw event and then create a new field using the Key and Value.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

p_gurav
Champion
‎04-12-2018 06:48 AM

You need to create field transformation using below parameters. Go to setting--> field-->field transformation--> create new field transformation say "abc".

 REGEX = Managed Adapters\s*([^:]+):\s*(\d+)
 FORMAT = $1:$2

Then create new field extraction, select uses transform option then refer abc over there

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

p_gurav
Champion
‎04-12-2018 06:48 AM

You need to create field transformation using below parameters. Go to setting--> field-->field transformation--> create new field transformation say "abc".

 REGEX = Managed Adapters\s*([^:]+):\s*(\d+)
 FORMAT = $1:$2

Then create new field extraction, select uses transform option then refer abc over there

0 Karma
Reply
Solved! Jump to solution

sarvan7777
New Member
‎04-12-2018 08:52 PM

Thanks for the response. I think format should be like this $1::$2, otherwise it is not saving. Unfortunately, I don't see the new fields when I query the events. Am I still missing something?

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-12-2018 10:08 PM

My bad yes you have to use $1::$2. Did you create field transformation and extraction both? Also try changing permission of field transformation and extraction.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-12-2018 06:33 AM

Do you want to extract the fields at index time or search time?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sarvan7777
New Member
‎04-12-2018 08:50 PM

I wish to extract at the search time

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...