Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Turning a search into a new field

cpeteman
Contributor
‎08-19-2013 10:12 AM

The following search removes usernames, host names, all time information, any digits, and turns all strings of white space into a single "_" for the _raw message. 

.... |rex mode=sed "s/[a-z]+\d{1,4}//" |rex mode=sed "s/user\s[a-z]+/user /" 
|rex mode=sed "s/(user|USER)=[a-z]+/user=/" |rex mode=sed "s/\d+//g" 
|rex mode=sed "s/(Jan|January|Feb|Febuary|Mar|March|Apr|April|May|Jun|June|Jul|July|Aug|August|Sep|September|Oct|October|Nov|November|Dec|December|Mon|Tue|Wed|Thu|Fri|Sat|Sun|PM|AM|PDT|PST)//g" 
|rex mode=sed "s/\s+/_/g"| rename _raw AS msgdigest |stats count by msgdigest

I would like to be able to have this "digested" message available as a field does anyone know how to turn this into a field. Preferably with the transforms and extraction pages in manager as I'm currently having unrelated problems with props.conf and transforms.conf files. Please help!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎08-19-2013 12:25 PM

A workaround is to create a macro and call it after the search.

For the automatic field extractions (rex command), please see
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextrac...
I never tried to use the mode=sed in the configuration file, I couldn't figure if it's possible.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

cpeteman
Contributor
‎08-20-2013 08:41 AM

I'm not really sure what you mean. Where am I using this re? and what do I put in the regex expression if I only have a sed expression?

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎08-19-2013 03:51 PM

Did this not work?
Syntax
rex field=

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎08-19-2013 12:25 PM

A workaround is to create a macro and call it after the search.

For the automatic field extractions (rex command), please see
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextrac...
I never tried to use the mode=sed in the configuration file, I couldn't figure if it's possible.

0 Karma
Reply
Solved! Jump to solution

cpeteman
Contributor
‎08-26-2013 03:55 PM

For now a macro seems to be the only option I did manage to avoid my fear in the above comment.

0 Karma
Reply
Solved! Jump to solution

cpeteman
Contributor
‎08-19-2013 01:53 PM

A marco would take away the original _raw message, as I have my search now that is. Do you know if that can be avoided?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...