Splunk Search

How to extract new fields in a log file

sarvan7777
New Member

Here is a sample content from my application log. I wish to extract the fields

"rib-rmq Status is STATE_ACTIVE.
Loading log4j.xml from jar:file:/appli/oretail/rib14/Rib1412ForAll14xxApps/rib-home/tools-home/rdmt_atgsup/lib/rdmt-14.1.2.jar!/log4j.xml
Executing command : JmxCommand(connect).
Attempting to Connect
Attempting to Connect
JMX URL :service:jmx:t3://PRDORAPRIR1:16110/jndi/weblogic.management.mbeanservers.domainruntime
JMX USer :weblogic
JMX ConnectionProvider Pkg :weblogic.management.remote
connected.
Previous command successful: JmxCommand(connect).
Executing command : JmxCommand(invoke).
invoke returned STATE_ACTIVE
Previous command successful: JmxCommand(invoke).
JMX request for rib-rms Managed Adapter Status...
**Managed Adapters detected: 62
Managed Adapters running : 38
Managed Adapters stopped : 24
Managed Adapters failed : 0
*
invoke rib-rms:appName=rib-rms,level=application returnStatusForAll"*

I just want to create a table report that only shows

Detected 62
Running 38
Stopped 24
Failed 0

Ideally, All I want is look is, grep the lines starting at "Managed Adapters" filter from the _raw event and then create a new field using the Key and Value.

Tags (1)
0 Karma
1 Solution

p_gurav
Champion

You need to create field transformation using below parameters. Go to setting--> field-->field transformation--> create new field transformation say "abc".

 REGEX = Managed Adapters\s*([^:]+):\s*(\d+)
 FORMAT = $1:$2

Then create new field extraction, select uses transform option then refer abc over there

View solution in original post

0 Karma

p_gurav
Champion

You need to create field transformation using below parameters. Go to setting--> field-->field transformation--> create new field transformation say "abc".

 REGEX = Managed Adapters\s*([^:]+):\s*(\d+)
 FORMAT = $1:$2

Then create new field extraction, select uses transform option then refer abc over there

0 Karma

sarvan7777
New Member

Thanks for the response. I think format should be like this $1::$2, otherwise it is not saving. Unfortunately, I don't see the new fields when I query the events. Am I still missing something?

0 Karma

p_gurav
Champion

My bad yes you have to use $1::$2. Did you create field transformation and extraction both? Also try changing permission of field transformation and extraction.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Do you want to extract the fields at index time or search time?

---
If this reply helps you, Karma would be appreciated.
0 Karma

sarvan7777
New Member

I wish to extract at the search time

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...