Splunk Search

Varying Field Extractions

attgjh1
Communicator

A sample sequence of my log goes something like this

07/03/2011 15:26,07/03/2011 15:26,...,... Refresh Process is starting up,CLOSED,UNKNOWN,Smarts-Appmon,0,,,,etcetc

OR

07/03/2011 15:06,07/03/2011 15:06,...,... Monitor ...,CLOSED,WARNING,Appmon,0,etcetc
OR

07/03/2011 14:55,07/03/2011 14:55,...,..,...,CLOSED,NORMAL,SNMP,0,etcetc

so.. im trying to extract the [warning]
which varies from "Warning","Normal","Major","Minor","Critical","Unknown"

however Web extraction gives me: "(?i),CLOSED,(?P[^,]+)"
but the field before it could be "OPEN" as well. I tried to add a CLOSED|OPEN but it became an error. can someone enlighten me?

another field im having trouble is [source]
the regex was based on the number of commas, however, from the 2 examples i given, this is not necessarily true as well. they vary from 5(1st and 2nd) to 6 (3rd log). this problem is similar to my first question.

Thanks for taking your time to read!

Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

The following rex statement should bring out the information as warning_level and the_source. I don't think you can extract a field called source (or sourcetype etc) since that is a default field.

... | rex ",\[(?<warning_level>\w+)\],\s*\[(?<the_source>\w+)\]$" |

Note: I added a possible whitespace between warning_level and the_source, since your example didn't really show the actual format. Remove if not applicable.


UPDATE:

Well that pretty much changed the game. There are no longer any square brackets in your events, and the line does not end where you said it did... 🙂

... | rex ",(OPEN|CLOSED),(?<warning_level>\w+),(?<the_source>\w+)," |

should work better with your sample above.

Hope this helps,

Kristian

View solution in original post

kristian_kolb
Ultra Champion

The following rex statement should bring out the information as warning_level and the_source. I don't think you can extract a field called source (or sourcetype etc) since that is a default field.

... | rex ",\[(?<warning_level>\w+)\],\s*\[(?<the_source>\w+)\]$" |

Note: I added a possible whitespace between warning_level and the_source, since your example didn't really show the actual format. Remove if not applicable.


UPDATE:

Well that pretty much changed the game. There are no longer any square brackets in your events, and the line does not end where you said it did... 🙂

... | rex ",(OPEN|CLOSED),(?<warning_level>\w+),(?<the_source>\w+)," |

should work better with your sample above.

Hope this helps,

Kristian

kristian_kolb
Ultra Champion

chart c over the_source by warning_level

0 Karma

attgjh1
Communicator

Thanks alot. it helped.

now im gng try some stats/charts to show the source over warninglevels~~~

here's a cookie.

0 Karma

kristian_kolb
Ultra Champion

see update above /k

0 Karma

attgjh1
Communicator

ive added the actual details of the log.

0 Karma
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...