Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I determine the regex used for an extraction in a specific event?

pinVie
Path Finder
‎08-19-2015 11:40 PM

Hello all,

One problem that I frequently have is that I need to know what extraction was used for a specific events. It might happen, that the extraction regex works in 99% of all case,s but then I spot some events where the extractions failed - in most cases it is just a minor fix in the regex - e.g., replacing [A-Za-z] with a \w because I missed that this field may contain numbers or something the of the like.

Finding the actual EXTRACT in the props.conf takes more time then fixing it. Of course I can start with the sourcetype, but if I have 20 or more (not so perfectly named) EXTRACTs, that's quite hard. Right now I have the "convenient" problem that an already EXTRACT matches perfectly to similar event - I just don't know which one 🙂

I'd really appreciate some tips/hints.

Thx a lot !!

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎08-20-2015 12:11 AM

Unfortunately, there is no way to do this for an individual event that I know of, but you can have a look at the search log (job inspector - search.log) to see all extractions done for the search.
In the long run, you will have to start naming your extractions sensibly, because you can only ever identify them by either their name or their content. A good naming convention is of course always a good idea, but it becomes a necessity in growing environments.

A good thing is that you do not have to use the web UI to look/search for them, you can use btool (run from %SPLUNK_HOME/bin):

./splunk cmd btool props list

will show you all definitions in all props.conf across your system. Combine this with | grep, and (with a nice naming convention) you have all you need.
btool can also consider app and user context with --app= and --user=, and it can show you which file the settings originate from with --debug. Check the docs here.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...