Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is Pre-processing logs necessary?

monicato
Path Finder
‎06-20-2012 09:27 AM

Hello,

I'm having trouble getting Splunk to identify one of the fields in my logs because this field contains a single binary number (so either 0 or 1). Splunk only identifies other zeros and ones in my other fields... My question is, does this mean I have to pre process my logs before inputting them into splunk? Anyone have the same problem? know a fix? MUCH APPRECIATED!!

alt text

Splunk is identifying the zeros in the timestamp, which I do not want. I want the column circled in green. Open image in new tab to see enlarged image.

Here's a raw log for example:

***note*: I'm having problems with the last column: it's always either 1 or 0

2011-11-25    09:31:20      198.190.172.123      HEAD      /e.download.com/49/63/4863/64bit.part2.rar       200    266    0      "-"    "tSession Interface"     "DState=""3+0+01KI+0.00+Start+0+0+14645+TransId=2ea4bd87_Guid=8e73b4564dfaace20490_IP=198.190.172.123"""       1468045    -      0
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-20-2012 12:55 PM

No, preprocessing is not necessary! But the Interactive Field Extractor is ultimately a mechanical regular expression generator - it will never be as intelligent as a human who understands the data.

One solution would be to create the field extraction manually in props.conf. If you are the Splunk admin, that might be your best choice.

But you can also put the regular expression directly into the Interactive Field Extractor. Click the Edit button and Splunk will give you a window to edit the regular expression. The following regular expression picks up the last digit on the line:

(?P<FIELDNAME>\d)\s*$

I looked at your screenshot, and I think this is what you want. Let us know if it doesn't work...

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-20-2012 12:55 PM

No, preprocessing is not necessary! But the Interactive Field Extractor is ultimately a mechanical regular expression generator - it will never be as intelligent as a human who understands the data.

One solution would be to create the field extraction manually in props.conf. If you are the Splunk admin, that might be your best choice.

But you can also put the regular expression directly into the Interactive Field Extractor. Click the Edit button and Splunk will give you a window to edit the regular expression. The following regular expression picks up the last digit on the line:

(?P<FIELDNAME>\d)\s*$

I looked at your screenshot, and I think this is what you want. Let us know if it doesn't work...

Reply
Solved! Jump to solution

monicato
Path Finder
‎06-20-2012 01:02 PM

YES that does it! THANK YOU!!! 😄

0 Karma
Reply
Solved! Jump to solution

monicato
Path Finder
‎06-20-2012 12:51 PM

I just updated post with a raw log

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎06-20-2012 11:44 AM

We need to some raw events to help you in this case and generate the right regex for you.

0 Karma
Reply
Solved! Jump to solution

monicato
Path Finder
‎06-20-2012 11:43 AM

clicking on an "x" in yellow in the field extractor does not revise the regex correctly... : (

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎06-20-2012 10:56 AM

When you click on an 'X' in yellow in the field extractor does it revise the regex for you and find what you need? I would try that first. If that doesn't work, if you post a raw event example i'm sure someone can give you the regex that will work.

0 Karma
Reply
Solved! Jump to solution

monicato
Path Finder
‎06-20-2012 10:42 AM

I just updated my question post with a screenshot

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎06-20-2012 09:52 AM

Can you post an example event from the raw file, so we can picture it better?

0 Karma
Reply
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...