Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Need help with multiple field extractions

moshiro
New Member
‎12-04-2014 05:00 PM

Wanted to know the best way to extract multiple fields along with their associated values. I have a log that I need to about 10 fields extracted. The values are updated every five minutes.

Here is example of the log:
2014-12-04 15:56:01 dbsize 5628245
2014-12-04 15:56:01 mem_fragmentation_ratio 1.24
2014-12-04 15:56:01 used_cpu_sys 366988.84
2014-12-04 15:56:01 used_cpu_user_children 255506.31
2014-12-04 15:56:01 used_memory 1401843904
2014-12-04 15:56:01 used_memory_human 1.31G

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎12-05-2014 01:21 AM

Hi moshiro,

as @sk314 wrote, change the log format to key=value or field=value pairs and Splunk will do this on its own. If not possible use props.conf and transforms.conf to make it happen like this:

props.conf
[yoursourcetype]
REPORT-GetmyKV = GetMyKeyValue

transforms.conf
[GetMyKeyValue]
REGEX = \:\d{2}\s(.*?)\s(.*)
FORMAT = $1::$2

This will put matching group1 as key/field and matching group2 as value.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎12-05-2014 01:21 AM

Hi moshiro,

as @sk314 wrote, change the log format to key=value or field=value pairs and Splunk will do this on its own. If not possible use props.conf and transforms.conf to make it happen like this:

props.conf
[yoursourcetype]
REPORT-GetmyKV = GetMyKeyValue

transforms.conf
[GetMyKeyValue]
REGEX = \:\d{2}\s(.*?)\s(.*)
FORMAT = $1::$2

This will put matching group1 as key/field and matching group2 as value.

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

sk314
Builder
‎12-04-2014 05:28 PM

Splunk can automatically extract field=value pairs. so if you have timestamp field1=value1 field2=value2 and so on ... splunk would automatically do the extraction for you. Naturally this only works if you have control over the logging format.

If that is not in your hand (log format), you could try using the interactive field extractor to specify simple regex based extraction for your fields.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...