Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Implied field extraction in Splunk?

Josh
Path Finder
‎05-15-2010 06:09 PM

So I have used props and tranforms to extract a field in my application by using a particular regex expression.

For instance lets say there is a particular line of text in the logs as follows:

username@host logged in at 15:00

So I have used props and tranforms to extract the value username into a user field this works fine. So now what I want to do now is within this applicaton where ever the entry username occurs in other events I would like it to be taged also as the field user.

So lets say somewhere else in my logs there is another event which has the line:

username invoked method x

I would like this event to have the field user which stored the value username.

Is there anyway that we can match the field value accorss over events in the application and also have them extracted into the field, or do you have to write every single possible regex pattern where the username may appear in the logs?

Tags (1)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎05-15-2010 08:48 PM

You do have to create regexes to match the values in different sourcetypes in different ways.

A couple ideas and tools spring to mind though to make this easier. If you pick a typical username and search for say:

mildred OR gladys OR agnes | top sourcetype

That will give you an idea of the sourcetypes where the username values spread to. Then, for each of the sourcetypes where there isnt already a good extraction, find 5 or 10 usernames that seem representative and run the following: 

sourcetype=someSourceType | head 1000  | erex user examples="mildred,gladys,agnes,nico,etc..."

erex will chew on the data for a while and then actually tell you the best regular expression it can find that matches all those values successfully.

http://www.splunk.com/base/Documentation/latest/SearchReference/Erex

And it'll give you this regex in the form of a suggested rex command, so you can try it for a while as a rex clause before baking the regex into the config as a search-time field extraction.

For example, you can take the rex command it gives you, and assuming that rex command is creating a field called username, an easy way to quickly check the events that did NOT match, is just to tack on: 

| search username!=*
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...