I've been trying to use the field extractor to get some useful data from my Sophos Anti-virus scan log. Unfortunately, it doesn't seem to work. I also can't figure out how I would break the event up using transforms.conf.
The log contains the following summary when I search it in Splunk (it has it's own soucetype [SAV-too_small]).
20140604 042046 Scan 'Daily Scan 5am' completed.
20140604 042046 Summary of results for scan 'Daily Scan 5am':
Items scanned: 198971
Errors: 0
Items quarantined: 0
Items dealt with: 0
What I want is to get some kind of table or chart where it splits up "errors" and "items" as separate fields.
Any help would be much appreciated
Thanks,
thommck
Hi thommck,
based on your provided data, use something like this:
your base search to get the events needed | rex field=_raw "Items\sscanned:\s(?<items>.+)" | rex field=_raw "Errors:\s(?<errors>.+) | table items errors
hope this helps ...
cheers, MuS
Based on your sample data it look like you might also benefit from using the mvexpand command.
One of the examples on the documentation page for mvexpand uses rex, like has already been suggested, but also allows you to have other data (e.g., timestamp) from the original event applied.
http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/Mvexpand
I'll look into this, thanks
Hi thommck,
based on your provided data, use something like this:
your base search to get the events needed | rex field=_raw "Items\sscanned:\s(?<items>.+)" | rex field=_raw "Errors:\s(?<errors>.+) | table items errors
hope this helps ...
cheers, MuS
Sure, read the docs about field extraction using conf files. This will extract the fields at search time once configured. If you prefer to have it extracted at index time, read the docs about indexed field extraction.
cheers, MuS
pls, mark this as answered by accepting the answer - thx
Thanks, this works but is there a way to make it always index the data this way?