Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help with multiple field extractions

moshiro
New Member
‎12-04-2014 05:00 PM

Wanted to know the best way to extract multiple fields along with their associated values. I have a log that I need to about 10 fields extracted. The values are updated every five minutes.

Here is example of the log:
2014-12-04 15:56:01 dbsize 5628245
2014-12-04 15:56:01 mem_fragmentation_ratio 1.24
2014-12-04 15:56:01 used_cpu_sys 366988.84
2014-12-04 15:56:01 used_cpu_user_children 255506.31
2014-12-04 15:56:01 used_memory 1401843904
2014-12-04 15:56:01 used_memory_human 1.31G

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎12-05-2014 01:21 AM

Hi moshiro,

as @sk314 wrote, change the log format to key=value or field=value pairs and Splunk will do this on its own. If not possible use props.conf and transforms.conf to make it happen like this:

props.conf
[yoursourcetype]
REPORT-GetmyKV = GetMyKeyValue

transforms.conf
[GetMyKeyValue]
REGEX = \:\d{2}\s(.*?)\s(.*)
FORMAT = $1::$2

This will put matching group1 as key/field and matching group2 as value.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎12-05-2014 01:21 AM

Hi moshiro,

as @sk314 wrote, change the log format to key=value or field=value pairs and Splunk will do this on its own. If not possible use props.conf and transforms.conf to make it happen like this:

props.conf
[yoursourcetype]
REPORT-GetmyKV = GetMyKeyValue

transforms.conf
[GetMyKeyValue]
REGEX = \:\d{2}\s(.*?)\s(.*)
FORMAT = $1::$2

This will put matching group1 as key/field and matching group2 as value.

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

sk314
Builder
‎12-04-2014 05:28 PM

Splunk can automatically extract field=value pairs. so if you have timestamp field1=value1 field2=value2 and so on ... splunk would automatically do the extraction for you. Naturally this only works if you have control over the logging format.

If that is not in your hand (log format), you could try using the interactive field extractor to specify simple regex based extraction for your fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...