I have been using the field extractor regular expression to extract a value from a field.
The problem I am running in to is that the order of the information in the field is not always consistent.
Here is a screenshot example of what I am talking about.
As you can see, I am looking to extract the integer value after the key word "valid_secs", but sometimes the order of the information is inconsistent. So when "valid_secs" and its value does not appear in the same spot, the field extractor fails to recognize the value I am attempting to extract. (this is being shown by the red arrows).
My question is this: Is there a way to extract the value after the key word "valid_secs"? So whenever the words "valid_secs" is spotted, it takes the value after it, which in the case of my screenshot would be 15000 or 3600, and stores this value in a new field name of my choice.
Is this something that is possible with splunk? Or is this type of manipulation not supported?
Any answer on whether this may or may not be possible will be greatly appreciated!
P.S. The reason I am attempting this action is this: I am trying to create an alert that gets triggered whenever the value after "valid_secs" is greater than 14400.
The reason I can't do this without the field extractor is because this information is pulled in a description field, which also has a lot of other information. A screenshot of how the event looks when it comes in is below.
Thank you very much for taking the time to help me with this issue! I really appreciate the help.
Ryan
... View more