Splunk Search

Simple extraction regex to parse out space seperated logs?

thisissplunk
Builder

I'm dealing with a highly customized access log that isn't being processed properly by access_combined sourcetype during indexing. Fields aren't being pulled out.

Is there a way to write a regex in search time extractions that will simply do something similar to a split(_raw," ")?

I CANNOT do something like because it's way too slow to rex out or split the entire data set (it's huge):

index=blah | rex field=_raw "(?<field1>.+)\s(?<field2>.+)\s | search field1=wowthiswasslow"

It needs to be streaming so that I can search like:

 index=blah extracted_field1=thatwasfast
0 Karma
1 Solution

thisissplunk
Builder

Actually I was making this harder than it had to be. Just go to "Extract more fields" then choose "Delimiter" then choose Space as the delimiter.

View solution in original post

0 Karma

thisissplunk
Builder

Actually I was making this harder than it had to be. Just go to "Extract more fields" then choose "Delimiter" then choose Space as the delimiter.

0 Karma

micahkemp
Champion

Yup, that’s a better way to parse delimited fields long term.

I honestly can’t imagine splitting by spaces is going to work for web logs, though. What about useragents?

0 Karma

micahkemp
Champion

| eval allfields=_raw | makemv allfields

This may not work will for your specific use case, but it will split into as many values as it needs. delim defaults to , so I left it out of the command.

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Makemv

thisissplunk
Builder

Hmm ok, I'm looking for it now, but how do I search for something like allfields[0]=blah?

Found it: | eval field7=mvindex(allfields,7) | search field7=200

Still left wondering if this will be slow due to the extra | search

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...