Refine your search:

I have a log set up as: timestamp, user account, query

Splunk is not identifying the second column as 'user account' mostly because there isn't anything to identify it as a user account (no column title)....is there anyway to make Splunk read this column so that it will show as an interesting field regardless of the value?

Log sample: 2013-05-13 15:00:00,000 C012345(user account #) 2013-05-13 15:00:00,000 C543210

asked 13 May '13, 14:41

cruzalan90's gravatar image

cruzalan90
614
accept rate: 100%


One Answer:

You should be able to accomplish this by reading this documentation:

http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime

You'll eventually want to create a field extract in the Manager. But before you do, use the rex command to create a field extract on-the-fly. The '...' in the example below represents your search, then just tack-on the rex. 'user_id' can be any name you want it to be.

... | rex "^(?:[^ ]* ){2}(?<user_id>[^ ]+)\s"

The first section skips the data and time fields, and the second part picks up the third field and assigns it to the field name 'user_id'. Then you can do the search, and look at your menu of field names, and click on the field to see what it is capturing.

Once you have this working that way you want it to, take everything inside the quotes for the rex and put it into a new field extract via the manager.

link

answered 13 May '13, 16:03

wrangler2x's gravatar image

wrangler2x
43029
accept rate: 22%

Something is still not right.

The rex command is very close to what I'm looking for but it looks like timestamp and account ID are being identified as column 1.

Right now: 2013-05-13 15:00:00,000 C012345 = Column 1

Should be: 2013-05-13 15:00:00,000 = Column 1
C012345 = Column 2

I'm still fairly new to Splunk so what can I do to separate timestamp from account ID first before I can apply the rex command?

Thank you!

(14 May '13, 07:25) cruzalan90

I don't understand what you mean by column 1, so let's start with you posting some more information.

  1. Let's see the actual search you are using.
  2. Let's see the search result (cut and paste) for one record.
  3. Let's see the raw data. To do this, on one record of the search result you click on the blue box with the white arrow to reveal a 3-item menu. Click on "show source" and then copy and paste the record that is highlighted.
(14 May '13, 08:29) wrangler2x

As far as the rex goes, and in your example (2013-05-13 15:00:00,000 C012345) it is skipping 2013-05-13 and 15:00:00,000 and then picking up C012345 as a field extract under the label user_id. It does not affect the output of your search other than to make this field available by name, and then to appear under "Interesting Field(s)" unless you have selected it to appear in the "selected fields" list.

Splunk should automagically have figured out the date field and the time fields. timestartpos shows where it sees these beginning (should be zero) and timeendpos where it ends. Also date_ fields.

(14 May '13, 08:32) wrangler2x

What I meant by columns was referring to the actual logs.

  1. index = hrfarm | rex "^(?:[^ ]* ){2}(?<account_id>[^ ]+)s"

  2. 2013-05-13 17:32:26,962 C083363 / GUID: C083363 / select permission1_.PermissionId as col_0_0_ from...

Rex command works just not the correct position and when I change the position to either {1} or {3} its still not correct.

Interesting field "account_ID" position {2} returns: GUID: or sometimes commands: position {1} returns: 2013-05-13 17:32:26,962 C083363 position {3} returns: GUID: C083363 (close but I want the first account ID value)

(14 May '13, 12:37) cruzalan90
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×308
×76
×2

Asked: 13 May '13, 14:41

Seen: 623 times

Last updated: 14 May '13, 12:37

Copyright © 2005-2014 Splunk Inc. All rights reserved.