- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Pull out fields embedded in logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm looking for information about how to pull out field information from inside the log messages. For example...
Message=(Error) I/O error on file system 'prodops' operation WRITE inode (Message repeated 4732 times)
Message=(Error) I/O error on file system 'proxy' operation WRITE inode (Message repeated 4 times)
Message=(Error) I/O error on file system 'wwtowip' operation WRITE inode
These come from Windows event logs and I want to be able to sort on how many times these errors happen to each individual filesystem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a number of ways to extract fields. Overview of search-time field extractions is a good resource.
For the data you have here, you could do this in the rex command as well -
yoursearchhere
| rex "(?<msg>.*?file system)\s*\'(?<file_system>.*?)\' operation (?<operation>.*)(?:\(Message repeated (?<msgcount>\d+) times\))*"
| fillnull value=1 msgcount
| stats sum(msgcount) as MessageCount by msg file_system
I've probably made some typo in the regular expression... but I hope you get the idea
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a number of ways to extract fields. Overview of search-time field extractions is a good resource.
For the data you have here, you could do this in the rex command as well -
yoursearchhere
| rex "(?<msg>.*?file system)\s*\'(?<file_system>.*?)\' operation (?<operation>.*)(?:\(Message repeated (?<msgcount>\d+) times\))*"
| fillnull value=1 msgcount
| stats sum(msgcount) as MessageCount by msg file_system
I've probably made some typo in the regular expression... but I hope you get the idea
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, this looks great for long term usage.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should use rex to create a field from within the Message field that you can search on later.
index=main sourcetype="*security*" | rex field=Message "... error on file system '(?<filesystem>.*)' | stats count by filesystem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! This worked great inline.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
