I have a log set up as: timestamp, user account, query
Splunk is not identifying the second column as 'user account' mostly because there isn't anything to identify it as a user account (no column title)....is there anyway to make Splunk read this column so that it will show as an interesting field regardless of the value?
Log sample: 2013-05-13 15:00:00,000 C012345(user account #) 2013-05-13 15:00:00,000 C543210
asked 13 May '13, 14:41
You should be able to accomplish this by reading this documentation:
You'll eventually want to create a field extract in the Manager. But before you do, use the rex command to create a field extract on-the-fly. The '...' in the example below represents your search, then just tack-on the rex. 'user_id' can be any name you want it to be.
The first section skips the data and time fields, and the second part picks up the third field and assigns it to the field name 'user_id'. Then you can do the search, and look at your menu of field names, and click on the field to see what it is capturing.
Once you have this working that way you want it to, take everything inside the quotes for the rex and put it into a new field extract via the manager.
answered 13 May '13, 16:03