- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to define a data filter in order to apply diff...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am new to Splunk Enterprise
Here is my problem:
I have a data source in the form of text files which contains two type of events, and each can be identified by a string
Ex :
line 1 : XXXX XX XXX ENVXXXXXXXXXXX
line 2 : XXXXXXXXXXORDXXXX XXX XXXXX
line 3 : XXXXXXXXXXORDXXXX XXX XXXXX
etc...
What I'm trying to do is to find a way to extract fields according to each type of event.
I've came up with two fields extractors, one for the line that contains "ENV", and one for "ORD", each contain a regex to extract the information I want.
However, I don't understand how to use them properly yet.
Is there a way to tell Splunk that if it finds lines that contains "ENV", then apply extractor X, otherwise extractor Y ?
Thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it depends on how you write your regular expression. In fact, I find this easiest to do by editing props.conf directly
[yoursourcetypehere]
EXTRACT-e1=^\d+\s\d+\s(?<field1>\d+)ENV
EXTRACT-e2=ORD(?<field2>\d{4})
With these extractions, only events that match the first pattern (which includes "ENV") will have field1, and only events that match the second pattern (including "ORD") will contain field2
You can make your regular expressions as complex as they need to be, in order to match exactly and only the data you want. Also, you can have a single EXTRACT line that extracts multiple fields at once. But I often find it is easier to write each field extraction separately, as I have done here, especially when the patterns are different.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it depends on how you write your regular expression. In fact, I find this easiest to do by editing props.conf directly
[yoursourcetypehere]
EXTRACT-e1=^\d+\s\d+\s(?<field1>\d+)ENV
EXTRACT-e2=ORD(?<field2>\d{4})
With these extractions, only events that match the first pattern (which includes "ENV") will have field1, and only events that match the second pattern (including "ORD") will contain field2
You can make your regular expressions as complex as they need to be, in order to match exactly and only the data you want. Also, you can have a single EXTRACT line that extracts multiple fields at once. But I often find it is easier to write each field extraction separately, as I have done here, especially when the patterns are different.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
