Splunk Search

Field Extraction

visa87
Explorer

Hi,

I am trying to read some systemout log files and extract data from it.
Sample info in the log is as below :

Field1 Accept Indicator :: true
Field1 Accept Indicator :: false
Field2 Accept Indicator :: true
Field2 Accept Indicator :: false
Total Time Taken by ReqA****156
etc

I am new to Splunk and not sure what is the correct approach to get these fields extracted..
I tried using the regex generated by Field Extraction but it does not give accurate results.

Can anyone help me with the regex as well?

Tags (2)
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

For understanding the difference between having your extractions in props.conf vs transforms.conf, reading through the spec file for props.conf can be quite englightening:

http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/Propsconf

Defining new search-time field extractions. You can define basic search-time field
extractions entirely through props.conf. But a transforms.conf component is required if
you need to create search-time field extractions that involve one or more of the following:
* Reuse of the same field-extracting regular expression across multiple sources,
source types, or hosts.
* Application of more than one regex to the same source, source type, or host.
* Delimiter-based field extractions (they involve field-value pairs that are
separated by commas, colons, semicolons, bars, or something similar).
* Extraction of multiple values for the same field (multivalued field extraction).
* Extraction of fields with names that begin with numbers or underscores.

visa87
Explorer

Thanks... That helped. But I dont understand what can be achieved by adding these regex to transforms.

0 Karma

abacus_machine_
Engager

Then you can accept the answer which helped you.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You can do regex as follows:

.. | rex field=_raw "Field1.*\:\:\s(?<f1_value>\w+)"

That would get this for Field1, you can modify for each field, assuming this is a single line event.

For the total time event-

.. | rex field=_raw "ReqA(?<time_value>\d+)"

Again, these are for single line events. You can drop those regex's into props.conf or transforms for your sourcetime and extract them there.

visa87
Explorer

I want to extract the time taken as a field and the numeric value as the value for tat field. Similarly I want Field 1 Accept Indicator as a field F1 which can either have true or false as value

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

First off, let us know what fields you want to extract, and what the values in your representative data looks like.. Then we can help!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...