2014-11-04 13:23:33 - bigtime.com:443 HEAD /index.html - - - 521.218.22.87 - - - 200 - - myid
Above is one "row" returned from my initial search. The 10th column/ field is (521.218.22.87). Note count each - as a column. Is there an easy way to display any particular column (in this case the 10th) in Splunk? Note this information is always in the 10th column.
This works (see comments above)
index=YourIndex sourcetype="Your Source Type" | head 100 | rex "(?i)^(?:[^t]*t){9}(?P[^t]+)" | top 50 FIELDNAME
This works (see comments above)
index=YourIndex sourcetype="Your Source Type" | head 100 | rex "(?i)^(?:[^t]*t){9}(?P[^t]+)" | top 50 FIELDNAME
Thanks for everyones help. I SUSPECT the field I am looking for does not show up because this particular log [ out of the 10 in our index] is generated from Weblogic and the pretrained "source type" = access_common so it cannot see it. I ended up selecting a record , selected the EVENT ACTIONS pulldown and selected "Extract Fields". Using this tool it generated me a regex of rex "(?i)^(?:[^\t]*\t){9}(?P[^\t]+)" An real example follows.
index=YourIndex sourcetype="access_common" | head 100 | rex "(?i)^(?:[^\t]*\t){9}(?P[^\t]+)" | top 50 FIELDNAME
Obviously I was looking for IP addresses. In our case we had Weblogic write the cookie containing this IP info to the log.
Strange that Splunk haven't extract the fields automatically... anyway, try to run something like:
index=bla ... | rex field=_raw "^(?P<field1>.*) (?P<field2>.*) (?P<field3>.*) (?P<field4>.*) (?P<field5>.*) (?P<field6>.*) (?P<field7>.*) (?P<field8>.*) (?P<field9>.*) (?P<field10>.*) (?P<field11>.*) (?P<field12>.*) (?P<field13>.*)$" | table *
This is a very basic regex assuming the data will be always have 13 fields separated by "space".
,I'm making some huge assumptions on the format of your data, but you could try this:
index="Your_index" | rex "(?<Date>\d{4}\-\d{2}\-\d{2})\s(?<Time>\d{2}\:\d{2}\:\d{2})\s\-\s(?<URL>.+\:\d+)\s(?<Field1>\w+)\s(?<Field2>\/\S+)\s\-\s\-\s\-\s(?<the_column_you_want>\S+)\s\-\s\-\s\-\s(?<Field3>\d+)\s\-\s\-\s(?<Field4>\S+)" | table the_column_you_want
Assuming there is a single space between each column, then you can use following to get any specific column number, (run anywhere sample, check the no of spaces might have changed due to formatting here)
| gentimes start=-1 | eval _raw="2014-11-04 13:23:33 - bigtime.com:443 HEAD /index.html - - - 521.218.22.87 - - - 200 - - myid" | table _raw | rex "([^ ]*\s){0}(?<1thColumn>[^ ]+)" | rex "([^ ]*\s){1}(?<2thColumn>[^ ]*)" | rex "([^ ]*\s){4}(?<5thColumn>[^ ]*)" | rex "([^ ]*\s){8}(?<9thColumn>[^ ]*)" | rex "([^ ]*\s){9}(?<10thColumn>[^ ]*)"
That is the raw data. No field shows up for this out of 110 fields. That is why I asked the question. The sourcetype is access_common. I need to parse out the 10th "column".
Just before assisting you, is that your raw data or those fields/columns have already been extracted? If you already have the fields extracted just use: search bla bla bla | table fieldABC
, replacing by the correct field name. If you don't have the field extracted, you need first to solve that. Once fields are extracted, you can search using search fieldABC="bla"
If you're not familiar with Splunk GUI you can see which fields are extracted by simply running a search in verbose mode and expanding one event by clicking on the icon like > for any event in the results.