Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About suepfarrell
suepfarrell
New Member
Member since:
07-31-2013
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 07-31-2013 |
Activity Feed
- Posted Re: extract subject from maillog on Splunk Search. 08-15-2013 10:54 PM
- Posted Re: extract subject from maillog on Splunk Search. 08-15-2013 08:52 PM
- Posted Re: How to extract data (email address, subject) between two blank spaces that are after the field identifier - eg From: on Splunk Search. 08-13-2013 10:10 PM
- Posted Re: How to extract data (email address, subject) between two blank spaces that are after the field identifier - eg From: on Splunk Search. 08-13-2013 10:09 PM
- Posted Re: How to extract data (email address, subject) between two blank spaces that are after the field identifier - eg From: on Splunk Search. 08-13-2013 09:12 PM
- Posted Re: Interactive Field Extraction (regex) on Splunk Search. 08-07-2013 09:27 PM
- Posted How to extract data (email address, subject) between two blank spaces that are after the field identifier - eg From: on Splunk Search. 08-07-2013 07:28 PM
- Tagged How to extract data (email address, subject) between two blank spaces that are after the field identifier - eg From: on Splunk Search. 08-07-2013 07:28 PM
- Tagged How to extract data (email address, subject) between two blank spaces that are after the field identifier - eg From: on Splunk Search. 08-07-2013 07:28 PM
- Posted Re: How to retrieve & compare numerical data (which is X number of characters after a field name is found) on Splunk Search. 08-01-2013 01:36 AM
- Posted How to retrieve & compare numerical data (which is X number of characters after a field name is found) on Splunk Search. 07-31-2013 09:59 PM
- Tagged How to retrieve & compare numerical data (which is X number of characters after a field name is found) on Splunk Search. 07-31-2013 09:59 PM
Topics I've Started
08-15-2013
10:54 PM
Thx jstockamp - that didn't quite work. I will give more detail in my own question I think. About to go set one up now.
Thanks
... View more
08-15-2013
08:52 PM
Hi
Did you get an answer for this - trying to do this myself. My email subjects differ so I want to table them all
How did you end up extracting the subject lines?
Thanks
Sue
... View more
08-13-2013
10:10 PM
If I search on labels (From, to, subject) the search will return them on separate lines and the lines can be in the one event or can be scattered over one or more events. The lines I am after should follow each other closely, and I would have thought always be in the same event, however the reasons for SPLUNK's returned search split I haven't worked out yet.
... View more
08-13-2013
10:09 PM
Splunk (out of the box) creates events, not sure how it decides & why my relevant data is not in the selected, interesting or other fields.
Eg raw data: There may be more lines of data in between the relevant example lines. Sometimes the line is repeated and the only difference is a bracketed number, eg. (36). Bracketed numbers aren't relevent to me. I also need to be careful I do not pick up both lines of data and count things twice.
There is data before and after the relevant fields (on each line) that I haven't listed for privacy sake or not relevant to the search.
... View more
08-13-2013
09:12 PM
Thankyou - I am now going to digest & play with this. Will let you know how I get on.
... View more
08-07-2013
09:27 PM
Hi
Can you tell me if i and P are exactly typed like this or you substituted field names in here?
Thinking this (with changes) may be my answer
... View more
08-07-2013
07:28 PM
Hi
Our fields have a space between the field name and the information we want to .
The two searches I have tried are:
source="D:\Splunk\File.trc" AND (From: OR To: OR Subject:) | rex field=_raw "From: (? .) To: (? . ) Subject: (? .*)" | return from, to, subject
search result
from="" to "" subject ""
source="D:\Splunk\FlightCentre\July 18th 2013 Files\TCLINKSM1.trc" AND From: | rex field=_raw ".*From: +(? [a-z]+)" | return from
search result
from=""
Raw data looks like this (modified to take out dates etc) but relevant bit is below.
-> TranslateRFC1522 From: Person1 Surname (50)
-> TranslateRFC1522 To: Person2 Surname (65)
-> TranslateRFC1522 Subject: invoice # 52174 (24)
I think it's not returning anything as there is a space after the field(s) we are interested in extracting and before the data we want.
I tried the 2nd search with [a-z] after reading many, many Q&A's.
Does anyone know how I can find everything after the field searched up to an open bracket "("
Thanks
... View more
08-01-2013
01:36 AM
Thankyou very much
... View more
07-31-2013
09:59 PM
Apologies if this answer exists somewhere. I am new to SPLUNK, I have been searching in user documents and How to FAQs but I am running out of time and have an urgent production problem to resolve.
I am using SPLUNK to search a log file for reasons why prod emails have gone astray.
In doing some basic searches I have determined a few fields we want to look at more closely. The search is greater than below but to simplify the question I will just refer to the one field.
"Document Converter returned" is one field I am searching on and I have noticed "Document Converter returned 0" is most common event. However when that field is not equal to 0 (eg "Document Converter returned 2043") the email is in error.
I want to only return the ones not equal to zero as the errors returned may be more than just "2043"
Example Search.
source="D:\Splunk\Logfile.trc" AND ("Document Converter returned") returns 47 events of which only 1 has Document Converter returned 2043.
source="D:\Splunk\Logfile.trc" AND ("Document Converter returned" !=0) doesn't work and I think it is because of the space before the 0 (???)
How can I search for "Document Converter returned" !=0 to only return events in error? Is there a way to search on "Document Converter returned" then extract the next "n" characters and compare the extracted characters only to 0? Or, something better?
As there are spaces I think SPLUNK is just seeing everything on this particular line as many fields and not linking the numbers post "Document Converter returned" to that field.
Thx in advance
... View more
- Tags:
- how
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
