Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to edit logs to not look like raw text

Mr_Sneed
Explorer
‎02-17-2024 04:51 AM

Currently I am feeding Splunk Zeek logs (formerly known as bro) via the monitor command. Some of the logs in the Zeek index are being parsed correctly. Other logs, however, are still appearing as raw text. 

I remember in the past there was a certain link in the settings where I could specify how to extract each field in the event what to call the field and what data belonged to it.  I also remember being able to test the specific settings I was applying via a log of the same index/source type.

Any help interpreting what I am trying to communicate or guidance as to finding that specific page I am looking for is very much appreciated. 

Labels (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-17-2024 08:30 AM

Field extractions do _not_ change what the raw event looks like. The only extract parts of the original event into specific fields.

BTW, instead of reinventing the wheel why not checking out the add-ons that are already on Splunkbase.

BTW2, are you sure you're not having your field extractions defined and them not showing because you're searching in fast mode?

Reply

Mr_Sneed
Explorer
‎02-18-2024 03:25 AM

PickleRick, I found the answer to my question.

 

The answer : If when searching an index for data you come across an event that appears to be raw text...

Note the source type and verify it is created (settings > source types >( search the specific index and create it if it does not exist)

(in Search and reporting)

click the drop down associated with the event that contains "raw" text.

click the drop down titled "Event Actions."

select extract fields.

observe the log and select the appropriate delimiter.

name your fields.

assign appropriate permissions.

and enjoy.

 

To answer your questions

I chose not to use Splunk base apps or addons for this particular task because these particular apps and addons are not intuitive to configure and hard to find usable documentation for. 

I do not know how to identify if I am using fast mode search or not.

 

Thanks for the help

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...