Splunk Search

most frequent eventlogs challenge

New Member

Here is the custom event log format:

field1 field2 field3 FREE_TEXT

How would one query, say Top 10, FREE_TEXT ignoring first 3 fields which are space separated. FREE_TEXT can be any application level debug message which is not a fixed format.

Creating Fields is not an option. Neither is the code change to generate standard log format like Apache web log.

Just a single instance Splunk server(no clustering).

Tags (2)
0 Karma

Path Finder

Why is creating fields not an option? Even if you don't want fields for all searches, you can create per-search fields using the rex command.

You should be able to do something like:

... | rex field=_raw "^[^ ]+ [^ ]+ [^ ]+ (?<free_text>.+)" | top limit=10 free_text
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!