Hello, I am a n00bie in Splunk.
So I needed some information from unstructured .log file.
I added the data through the web interface, and then used field extraction to get some fields I wanted to get.
Now, I have UNSTRUC_LOG: EXTRACT- FIRST in Field extractions list.
UNSTRUC_LOG: EXTRACT- FIRST Inline ^\d+/\d+/\d+\s+\d+:\d+:\d+\s+\w+:\s+\w+/\w+\s+\w+/\w+\s+\w+/\w+\s+\w+/\w+\s+\w+/\w+\s+\w+/\w+\s+\w+-\w+\s+\w+-\w+\s+\w+\s+\w+\s+%\w+\s+\w+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+(?P<await_svctm_sdb>\d+.\d+\s+\d+.\d+)\s+\d+.\d+\s+\w+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+(?P<await_svctm_sdc>\d+.\d+\s+\d+.\d+)\s+\d+.\d+\s+\w+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+(?P<await_svctm_sda>\d+.\d+\s+\d+.\d+)\s+\d+.\d+\s+\w+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+(?P<await_svctm_sdd>\d+.\d+\s+\d+.\d+)\s+\d+.\d+\s+\w+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+\d+.\d+\s+(?P<await_svctm_sde>\d+.\d+\s+\d+.\d+)
How can I manipulate / edit the fields I extracted ?
Do I use |inputlookup?
I would appreciate any input from you guys.
Jack
Is that by chance a table-shaped output from a unix shell command displaying info about disks?
If so, there are way more convenient ways of using the cells from such a table - do post a sample event and tell us more about the source.
Alternatively, grab the Linux App from https://splunkbase.splunk.com/app/273/ and see if it already contains pre-built configuration for that sourcetype.
Is that by chance a table-shaped output from a unix shell command displaying info about disks?
If so, there are way more convenient ways of using the cells from such a table - do post a sample event and tell us more about the source.
Alternatively, grab the Linux App from https://splunkbase.splunk.com/app/273/ and see if it already contains pre-built configuration for that sourcetype.