- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Varying Field Extractions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A sample sequence of my log goes something like this
07/03/2011 15:26,07/03/2011 15:26,...,... Refresh Process is starting up,CLOSED,UNKNOWN,Smarts-Appmon,0,,,,etcetc
OR
07/03/2011 15:06,07/03/2011 15:06,...,... Monitor ...,CLOSED,WARNING,Appmon,0,etcetc
OR
07/03/2011 14:55,07/03/2011 14:55,...,..,...,CLOSED,NORMAL,SNMP,0,etcetc
so.. im trying to extract the [warning]
which varies from "Warning","Normal","Major","Minor","Critical","Unknown"
however Web extraction gives me: "(?i),CLOSED,(?P
but the field before it could be "OPEN" as well. I tried to add a CLOSED|OPEN but it became an error. can someone enlighten me?
another field im having trouble is [source]
the regex was based on the number of commas, however, from the 2 examples i given, this is not necessarily true as well. they vary from 5(1st and 2nd) to 6 (3rd log). this problem is similar to my first question.
Thanks for taking your time to read!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following rex statement should bring out the information as warning_level and the_source. I don't think you can extract a field called source (or sourcetype etc) since that is a default field.
... | rex ",\[(?<warning_level>\w+)\],\s*\[(?<the_source>\w+)\]$" |
Note: I added a possible whitespace between warning_level and the_source, since your example didn't really show the actual format. Remove if not applicable.
UPDATE:
Well that pretty much changed the game. There are no longer any square brackets in your events, and the line does not end where you said it did... 🙂
... | rex ",(OPEN|CLOSED),(?<warning_level>\w+),(?<the_source>\w+)," |
should work better with your sample above.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following rex statement should bring out the information as warning_level and the_source. I don't think you can extract a field called source (or sourcetype etc) since that is a default field.
... | rex ",\[(?<warning_level>\w+)\],\s*\[(?<the_source>\w+)\]$" |
Note: I added a possible whitespace between warning_level and the_source, since your example didn't really show the actual format. Remove if not applicable.
UPDATE:
Well that pretty much changed the game. There are no longer any square brackets in your events, and the line does not end where you said it did... 🙂
... | rex ",(OPEN|CLOSED),(?<warning_level>\w+),(?<the_source>\w+)," |
should work better with your sample above.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chart c over the_source by warning_level
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks alot. it helped.
now im gng try some stats/charts to show the source over warninglevels~~~
here's a cookie.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
see update above /k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ive added the actual details of the log.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
