- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Story of the Tread: parsing application log files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
new to Splunk and would like to use it to parse application logs where every log entries is in the format shown below.
When I select and ThreadId, I would like to keep only the following fields:
Timestamp, Message, Title, ProcessId and ThreadId.
and eliminate the rest of the fields.
Timestamp: 8/16/2013 3:48:41 PM
Message: Starting main
Category: Trace
Priority: 0
EventId: 0
Severity: Start
Title:
Machine:
Application Domain: Foo.exe
Process Id: 6824
Process Name: C:\App\Foo.exe
Win32 Thread Id: 6348
Thread Name:
Extended Properties:
How Can this be accomplished?
Thanks,
Jm
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what you mean by "eliminate" - Splunk will index the raw data without transforming it in any way, and the fields that are extracted from the data are extracted at search-time. An easy way to view just the fields you mention is run your search as usual, and then at the end add
| table _time Message Title ProcessId ThreadId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is getting me closer. Thanks for the nudge.
Now the question is how do I extract those fields: Message Title, Process Id, Thread Id
When I tried adding:
"| table _time Message Title ProcessId ThreadId"
I got the datetime but none of the other fields.
This is obviously a very newbie question.
Thanks for taking the time,
Jm
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is getting me closer. Thanks for the nudge.
Now the question is how do I extract those fields: Message Title, Process Id, Thread Id
When I tried adding:
"| table _time Message Title ProcessId ThreadId"
I got the datetime but none of the other fields.
This is obviously a very newbie question.
Thanks for taking the time,
Jm
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best thing to get you started is probably to extract them using the interactive field extractor. More info available here: http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what you mean by "eliminate" - Splunk will index the raw data without transforming it in any way, and the fields that are extracted from the data are extracted at search-time. An easy way to view just the fields you mention is run your search as usual, and then at the end add
| table _time Message Title ProcessId ThreadId
Customer Experience | Splunk 2024: New Onboarding Resources
Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...
How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...
