Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction with duplicate values in fields

kmattern
Builder
‎04-14-2010 05:22 PM

Splunk 4.0.10

I have a log file that has 5 fields, date, time, account, received, authorized. It looks like this:

4/14/2010 11:25:08 washington-i 0 13

4/14/2010 11:25:08 jefferson-i 13 13

4/14/2010 11:25:08 jackson-i 13 13

4/14/2010 11:25:08 madison-i 13 13

4/14/2010 11:25:08 polk-i 13 13

4/14/2010 11:25:08 lincoln 12 12

4/14/2010 11:25:08 carter 0 4

4/14/2010 11:25:08 reagan 7 7

4/14/2010 11:25:08 johnson-I 12 12

4/14/2010 11:25:08 eisenhauer 7 7

4/14/2010 11:25:08 jefferson-1 13 13

When I do a search and click on extract fields I can't get Splunk to recognize every received field and it refuses to see the authorized field. I need to be able to generate a report that will display the difference between these two fields. How do I get Splunk to extract these fields?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎04-14-2010 07:09 PM

One option may be to do this via transforms.conf

To get started you could add or append these two files on your Splunk search instance.

$SPLUNK_HOME/etc/system/local/props.conf
[unknown-too_small]
KV_MODE = none
REPORT-foo = RecAuthz

$SPLUNK_HOME/etc/system/local/transforms.conf
[RecAuthz]
REGEX = ([0-9]+/[0-9]+/[0-9]+)\s([0-9|:]+)\s(\S+)\s(\d+)\s(\d+)
FORMAT = date::$1 time::$2 account::$3 received::$4 authorized::$5

---
Alternate transforms.conf (easier to read solution)
[RecAuthz]
DELIMS = " "
FIELDS = "date", "time", "account", "received", "authorized"

View solution in original post

Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎04-14-2010 07:09 PM

One option may be to do this via transforms.conf

To get started you could add or append these two files on your Splunk search instance.

$SPLUNK_HOME/etc/system/local/props.conf
[unknown-too_small]
KV_MODE = none
REPORT-foo = RecAuthz

$SPLUNK_HOME/etc/system/local/transforms.conf
[RecAuthz]
REGEX = ([0-9]+/[0-9]+/[0-9]+)\s([0-9|:]+)\s(\S+)\s(\d+)\s(\d+)
FORMAT = date::$1 time::$2 account::$3 received::$4 authorized::$5

---
Alternate transforms.conf (easier to read solution)
[RecAuthz]
DELIMS = " "
FIELDS = "date", "time", "account", "received", "authorized"

Reply
Solved! Jump to solution

kmattern
Builder
‎04-14-2010 07:51 PM

Thanks, that worked!

0 Karma
Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎04-14-2010 07:35 PM

...assuming you're an admin on that instance.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...