Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field extraction of usually ommited info

dominiquevocat
SplunkTrust
SplunkTrust
‎08-26-2010 11:38 AM

Hi,

i have a couple of logfiles where there is one important "field" that splunk does not recognize because it is not made of alphanumeric characters.

The possible values are "<<<<<" or "<====" indidicating if the logged event happened on the frontend or the backend. Which of course is important information inf finding an error.

How can i (best case) define a tag for this so i could label instances with either "frontend" or "backend"?

Regards Dom

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-26-2010 04:23 PM

e.g.:

props.conf:

[mysourcetype]
EXTRACT-end = (?<end>\<\<\<\<\<|\<====)

You will end up with a field "end" with the value either "<<<<<" or "<====" for each event. That's a little ugly, so you could define a lookup to make it look better:

props.conf:

[mysourcetype]
EXTRACT-end = (?<end>\<\<\<\<\<|\<====)
LOOKUP-endprettify = enddesc end OUTPUT enddesc

transforms.conf:

[enddesc]
filename = enddesc.csv

lookups/enddesc.csv:

end,enddesc
"<<<<<","frontend"
"<====","backend"

This will also allow you to search on enddesc="frontend", which will work the same as end="<<<<<"

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-26-2010 04:23 PM

e.g.:

props.conf:

[mysourcetype]
EXTRACT-end = (?<end>\<\<\<\<\<|\<====)

You will end up with a field "end" with the value either "<<<<<" or "<====" for each event. That's a little ugly, so you could define a lookup to make it look better:

props.conf:

[mysourcetype]
EXTRACT-end = (?<end>\<\<\<\<\<|\<====)
LOOKUP-endprettify = enddesc end OUTPUT enddesc

transforms.conf:

[enddesc]
filename = enddesc.csv

lookups/enddesc.csv:

end,enddesc
"<<<<<","frontend"
"<====","backend"

This will also allow you to search on enddesc="frontend", which will work the same as end="<<<<<"

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-27-2010 02:18 PM

You would use the "rex" command to do it similarly.

0 Karma
Reply
Solved! Jump to solution

dominiquevocat
SplunkTrust
SplunkTrust
‎08-27-2010 08:02 AM

Ok, look nice enough. Will try it. At pure search time i.e. with the search language would interest me however. i'm new to the product so please ignore my ignorance 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...