Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: define and search on space delimited fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
define and search on space delimited fields
Hi,
I have the following data: (time x y word1 word2 )
20131116-162406.698 569 609 burbled his
20131116-162407.590 568 615 wood manxsome
20131116-162408.481 684 592 tumtum raths
20131116-162409.372 635 609 head his
20131116-162410.263 882 620 with tumtum
20131116-162411.154 489 608 sought took
20131116-162412.045 484 624 hand thought
20131116-162412.936 484 624 hand thought
20131116-162413.827 917 613 son long
20131116-162414.718 1162 552 wabe foe
20131116-162415.609 145 552 hand foe
20131116-162416.500 956 587 galumphing hand
20131116-162417.391 628 635 aflame head
...etc
splunk recognises the timestamp field but nothing else, so i am trying to identify the remaining fields, at search time, as Xpsn Ypsn prime sub
(nb. in the following regex epressions the '\' after each '(?<' is added to get this edit window to display properly and not in the splunk search line).
This works:
sourcetype=MouseTracker | rex (?<\Xpsn>\s\d+)+(?<\Ypsn>\s\d+)+(?<\prime>\s\w+)+(?<\sub>\s\w+) |top prime
This also works:
sourcetype=MouseTracker | rex (?<\Xpsn>\s\d+)+(?<\Ypsn>\s\d+)+(?<\prime>\s\w+)+(?<\sub>\s\w+) |table prime sub Xspn
However this does not work:
sourcetype=MouseTracker | rex (?<\Xpsn>\s\d+)+(?<\Ypsn>\s\d+)+(?<\prime>\s\w+)+(?<\sub>\s\w+) |search prime=hand |table prime sub
why? why cant search use the new fields when top, filter, table and others can??
This is not suitable:
sourcetype=MouseTracker hand | rex ... (etc) because it hits if 'hand' is first or second word.
sorry to be a ghastly newbie but this has me stumped.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This might be because you've included the whitespace character in your fields. Try your search with this regex:
sourcetype=MouseTracker | rex "\s(?<Xpsn>\d+)\s(?<Ypsn>\d+)\s(?<prime>\w+)\s(?<\sub>\w+)" |search prime="hand" |table prime sub
or alternatively you could search for prime=" hand" which is probably not what you want to do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And to make it 'permanent', i.e. moving it from the query to a config file;
props.conf
[MouseTracker]
REPORT-blah = mouse_tracker_extractions
transforms.conf
[mouse_tracker_extractions]
DELIMS = " "
FIELDS = timestamp, Xpsn, Ypsn, prime, sub
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks very much. That has sorted it.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
