Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I determine the regex used for an extraction in a specific event?

pinVie
Path Finder
‎08-19-2015 11:40 PM

Hello all,

One problem that I frequently have is that I need to know what extraction was used for a specific events. It might happen, that the extraction regex works in 99% of all case,s but then I spot some events where the extractions failed - in most cases it is just a minor fix in the regex - e.g., replacing [A-Za-z] with a \w because I missed that this field may contain numbers or something the of the like.

Finding the actual EXTRACT in the props.conf takes more time then fixing it. Of course I can start with the sourcetype, but if I have 20 or more (not so perfectly named) EXTRACTs, that's quite hard. Right now I have the "convenient" problem that an already EXTRACT matches perfectly to similar event - I just don't know which one 🙂

I'd really appreciate some tips/hints.

Thx a lot !!

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎08-20-2015 12:11 AM

Unfortunately, there is no way to do this for an individual event that I know of, but you can have a look at the search log (job inspector - search.log) to see all extractions done for the search.
In the long run, you will have to start naming your extractions sensibly, because you can only ever identify them by either their name or their content. A good naming convention is of course always a good idea, but it becomes a necessity in growing environments.

A good thing is that you do not have to use the web UI to look/search for them, you can use btool (run from %SPLUNK_HOME/bin):

./splunk cmd btool props list

will show you all definitions in all props.conf across your system. Combine this with | grep, and (with a nice naming convention) you have all you need.
btool can also consider app and user context with --app= and --user=, and it can show you which file the settings originate from with --debug. Check the docs here.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...