×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
wleroy
New Member
Member since: ‎08-10-2010
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-10-2010
Activity Feed
Topics I've Started
View All

Re: Extracted fields issues

by in Splunk Search
‎08-11-2010 12:01 PM
‎08-11-2010 12:01 PM
If I'm not mistaken the regexp Splunk has generated based on my input means "extract the word located after the 4th space of the whole string", while I need "extract the 5th word of the whole string", or "extract the word located after the 4th group of 1 or more consecutive spaces" - But after many tries using online regexp tools I still can't translate that in regexp syntax banging his head on the keyboard ... View more

Re: Extracted fields issues

by in Splunk Search
‎08-11-2010 11:27 AM
‎08-11-2010 11:27 AM
Ok no prob - I'd like to give your regexp a try, but the asterisks were put there by me to highlight the hostname. I'm absolutely no expert regarding regexp and unfortunately some of the hosts don't have a dash in their hostname so I'm kinda stuck here - it seems that the only way to extract the hostname would be to filter put the 5th item of the line, no matter how many digits the day number has just like "awk '{ print $5 }'" would do in a shell Thanks anyway for your time, I'm going to see how I can modify the date format and/or my regexp ... View more

Re: Extracted fields issues

by in Splunk Search
‎08-10-2010 03:20 PM
‎08-10-2010 03:20 PM
Thanks for you reply Actually I messed up explaining the issue. I agree I'm looking for the 5th item - my problem is that Splunk sometime picks the 6th item instead of the 5th, for no apparent reason (Note the second line I pasted, saying LABEL=monitord: which is the process name, not the hostname) the others lines in my example are fine. ... View more

Extracted fields issues

by in Splunk Search
‎08-10-2010 01:02 PM
‎08-10-2010 01:02 PM
I'm experiencing weird issues with extracted fields : I have a custom field that basically get the hostname (in bold text), which is the 4th item of each log line : Aug 10 09:42:54 172.31.55.1 **sables-garnier** monitord: RPC call failed: INTERFACE_get_link_state, aborting current process pid 164 : monitord LABEL=monitord: Aug 9 19:35:19 172.31.14.1 **talmont-port** monitord: RPC call failed: INTERFACE_get_link_state, aborting current process pid 158 : monitord LABEL=talmont-port Aug 9 16:25:04 172.31.38.1 **sables-olona** monitord: RPC call failed: INTERFACE_get_link_state, aborting current process pid 158 : monitord LABEL=sables-olona I'm using this regexp : (?i)^(?:[^ ]* ){5}(?P[^ ]+) Now why in the above extract Splunk shows the fifth item (process name) as a label ? Using Splunk 4.1.4 (82143) by the way Any help appreciated Thanks ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM