Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Varying Field Extractions

attgjh1
Communicator
‎06-04-2012 12:15 AM

A sample sequence of my log goes something like this

07/03/2011 15:26,07/03/2011 15:26,...,... Refresh Process is starting up,CLOSED,UNKNOWN,Smarts-Appmon,0,,,,etcetc

OR

07/03/2011 15:06,07/03/2011 15:06,...,... Monitor ...,CLOSED,WARNING,Appmon,0,etcetc
OR

07/03/2011 14:55,07/03/2011 14:55,...,..,...,CLOSED,NORMAL,SNMP,0,etcetc

so.. im trying to extract the [warning]
which varies from "Warning","Normal","Major","Minor","Critical","Unknown"

however Web extraction gives me: "(?i),CLOSED,(?P[^,]+)"
but the field before it could be "OPEN" as well. I tried to add a CLOSED|OPEN but it became an error. can someone enlighten me?

another field im having trouble is [source]
the regex was based on the number of commas, however, from the 2 examples i given, this is not necessarily true as well. they vary from 5(1st and 2nd) to 6 (3rd log). this problem is similar to my first question.

Thanks for taking your time to read!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎06-04-2012 01:42 AM

The following rex statement should bring out the information as warning_level and the_source. I don't think you can extract a field called source (or sourcetype etc) since that is a default field.

... | rex ",\[(?<warning_level>\w+)\],\s*\[(?<the_source>\w+)\]$" |

Note: I added a possible whitespace between warning_level and the_source, since your example didn't really show the actual format. Remove if not applicable.

UPDATE:

Well that pretty much changed the game. There are no longer any square brackets in your events, and the line does not end where you said it did... 🙂 

... | rex ",(OPEN|CLOSED),(?<warning_level>\w+),(?<the_source>\w+)," |

should work better with your sample above.

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎06-04-2012 01:42 AM

The following rex statement should bring out the information as warning_level and the_source. I don't think you can extract a field called source (or sourcetype etc) since that is a default field.

... | rex ",\[(?<warning_level>\w+)\],\s*\[(?<the_source>\w+)\]$" |

Note: I added a possible whitespace between warning_level and the_source, since your example didn't really show the actual format. Remove if not applicable.

UPDATE:

Well that pretty much changed the game. There are no longer any square brackets in your events, and the line does not end where you said it did... 🙂 

... | rex ",(OPEN|CLOSED),(?<warning_level>\w+),(?<the_source>\w+)," |

should work better with your sample above.

Hope this helps,

Kristian

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎06-04-2012 11:11 PM

chart c over the_source by warning_level

0 Karma
Reply
Solved! Jump to solution

attgjh1
Communicator
‎06-04-2012 06:43 PM

Thanks alot. it helped.

now im gng try some stats/charts to show the source over warninglevels~~~

here's a cookie.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎06-04-2012 08:37 AM

see update above /k

0 Karma
Reply
Solved! Jump to solution

attgjh1
Communicator
‎06-04-2012 01:53 AM

ive added the actual details of the log.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...