Hello everyone, I am trying to extract several “NEW” fields from a field and I am having trouble doing so.
The field I am trying to extract from is a default field in an index but for some reason, the field name and its contents are not located in the "_raw" field. So, I am unable to use the built-in Splunk extractor to accomplish what I am trying to do. The contents of the sourcefield varies as seen below.
sourcefield=/var/log/bash_history/localuser/DOMAIN\first.last.domain • I need to extract "localuser" as field1, "DOMAIN" as field 2, and "first.last.domain" as field3.
sourcefield=/var/log/bash_history/DOMAIN\first.last.domain/DOMAIN\first.last.domain • I need to extract “DOMAIN” as field2 and “first.last.domain” as field3
Would it make sense to use the first example to extract all fields since both content paths share similar strings with the exception of “localuser”? That way, if the “localuser” field doesn’t exist it would just see it as NULL value? Any help will be greatly appreciated.
@gcusello I am not sure what you are asking. Is the question, how many results can the "field1" potentially have? If so, filed1 should not have more than 4 results (i.e. name1, name2, name3, or name4).
I had something similar to what you posted and I was never able to get the DOMAIN to field to extract. I will try what you posted and I will post my results shortly.