Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field Extraction

visa87
Explorer
‎01-06-2015 09:59 PM

Hi,

I am trying to read some systemout log files and extract data from it.
Sample info in the log is as below :

Field1 Accept Indicator :: true
Field1 Accept Indicator :: false
Field2 Accept Indicator :: true
Field2 Accept Indicator :: false
Total Time Taken by ReqA****156
etc

I am new to Splunk and not sure what is the correct approach to get these fields extracted..
I tried using the regex generated by Field Extraction but it does not give accurate results.

Can anyone help me with the regex as well?

Tags (2)
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-08-2015 01:08 AM

For understanding the difference between having your extractions in props.conf vs transforms.conf, reading through the spec file for props.conf can be quite englightening:

http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/Propsconf

Defining new search-time field extractions. You can define basic search-time field
extractions entirely through props.conf. But a transforms.conf component is required if
you need to create search-time field extractions that involve one or more of the following:
* Reuse of the same field-extracting regular expression across multiple sources,
source types, or hosts.
* Application of more than one regex to the same source, source type, or host.
* Delimiter-based field extractions (they involve field-value pairs that are
separated by commas, colons, semicolons, bars, or something similar).
* Extraction of multiple values for the same field (multivalued field extraction).
* Extraction of fields with names that begin with numbers or underscores.

Reply

visa87
Explorer
‎01-07-2015 08:49 PM

Thanks... That helped. But I dont understand what can be achieved by adding these regex to transforms.

0 Karma
Reply

abacus_machine_
Engager
‎01-08-2015 12:44 AM

Then you can accept the answer which helped you.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-06-2015 10:59 PM

You can do regex as follows:

.. | rex field=_raw "Field1.*\:\:\s(?<f1_value>\w+)"

That would get this for Field1, you can modify for each field, assuming this is a single line event.

For the total time event-

.. | rex field=_raw "ReqA(?<time_value>\d+)"

Again, these are for single line events. You can drop those regex's into props.conf or transforms for your sourcetime and extract them there.

Reply

visa87
Explorer
‎01-06-2015 10:46 PM

I want to extract the time taken as a field and the numeric value as the value for tat field. Similarly I want Field 1 Accept Indicator as a field F1 which can either have true or false as value

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-06-2015 10:04 PM

First off, let us know what fields you want to extract, and what the values in your representative data looks like.. Then we can help!

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...