Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use metadata/header for all the following events

Flobzh
Explorer
‎05-10-2021 04:55 AM

Dear all,

I'm trying to retrieve some log metadata and associate them to all my events.

Exemple: 

When my application starts, I'll get a few lines with what I'm calling metadata here (version, env, user, ... ) and then, the raw logs start.

2021-05-10T09:53:21.122+02:00|Criticity=INFO|Message=Version:3.4;Env=production

2021-05-10T09:53:46.474+02:00|Criticity=INFO|Message=blabla
2021-05-10T09:53:46.474+02:00|Criticity=DEBUG|Message=blabla2
2021-05-10T09:53:46.478+02:00|Criticity=DEBUG|Message=blabla3

I want this Version and Env to be usable as a field in all my events.

Like if each event looked something like this from a sub-query search standpoint:

2021-05-10T09:53:46.474+02:00|Criticity=INFO|Message=blabla|Version:3.4;Env=production
2021-05-10T09:53:46.474+02:00|Criticity=DEBUG|Message=blabla2|Version:3.4;Env=production
2021-05-10T09:53:46.478+02:00|Criticity=DEBUG|Message=blabla3|Version:3.4;Env=production

What would be the solution to end up with such usage?

Context:

The application I want to monitor is a heavy client, the users can choose the environnement to connect to from their desktop, and I capture the logs via a UniversalForwarder to Splunk Cloud.

I don't have much control on the log format, I've to go with this one.

Thanks in advance for your help

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2021 05:38 AM 
| rex "(?<verenv>Version:\d\.\d;Env=\w+)"
| streamstats last(verenv) as lastverenv
| eval lastverenv=if(lastverenv=verenv,null,"|".lastverenv)
| eval _raw=_raw.lastverenv

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2021 05:38 AM 
| rex "(?<verenv>Version:\d\.\d;Env=\w+)"
| streamstats last(verenv) as lastverenv
| eval lastverenv=if(lastverenv=verenv,null,"|".lastverenv)
| eval _raw=_raw.lastverenv
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...