- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: define and search on space delimited fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
define and search on space delimited fields
Hi,
I have the following data: (time x y word1 word2 )
20131116-162406.698 569 609 burbled his
20131116-162407.590 568 615 wood manxsome
20131116-162408.481 684 592 tumtum raths
20131116-162409.372 635 609 head his
20131116-162410.263 882 620 with tumtum
20131116-162411.154 489 608 sought took
20131116-162412.045 484 624 hand thought
20131116-162412.936 484 624 hand thought
20131116-162413.827 917 613 son long
20131116-162414.718 1162 552 wabe foe
20131116-162415.609 145 552 hand foe
20131116-162416.500 956 587 galumphing hand
20131116-162417.391 628 635 aflame head
...etc
splunk recognises the timestamp field but nothing else, so i am trying to identify the remaining fields, at search time, as Xpsn Ypsn prime sub
(nb. in the following regex epressions the '\' after each '(?<' is added to get this edit window to display properly and not in the splunk search line).
This works:
sourcetype=MouseTracker | rex (?<\Xpsn>\s\d+)+(?<\Ypsn>\s\d+)+(?<\prime>\s\w+)+(?<\sub>\s\w+) |top prime
This also works:
sourcetype=MouseTracker | rex (?<\Xpsn>\s\d+)+(?<\Ypsn>\s\d+)+(?<\prime>\s\w+)+(?<\sub>\s\w+) |table prime sub Xspn
However this does not work:
sourcetype=MouseTracker | rex (?<\Xpsn>\s\d+)+(?<\Ypsn>\s\d+)+(?<\prime>\s\w+)+(?<\sub>\s\w+) |search prime=hand |table prime sub
why? why cant search use the new fields when top, filter, table and others can??
This is not suitable:
sourcetype=MouseTracker hand | rex ... (etc) because it hits if 'hand' is first or second word.
sorry to be a ghastly newbie but this has me stumped.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This might be because you've included the whitespace character in your fields. Try your search with this regex:
sourcetype=MouseTracker | rex "\s(?<Xpsn>\d+)\s(?<Ypsn>\d+)\s(?<prime>\w+)\s(?<\sub>\w+)" |search prime="hand" |table prime sub
or alternatively you could search for prime=" hand" which is probably not what you want to do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And to make it 'permanent', i.e. moving it from the query to a config file;
props.conf
[MouseTracker]
REPORT-blah = mouse_tracker_extractions
transforms.conf
[mouse_tracker_extractions]
DELIMS = " "
FIELDS = timestamp, Xpsn, Ypsn, prime, sub
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks very much. That has sorted it.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
