Hello,
I am new to Splunk Enterprise
Here is my problem:
I have a data source in the form of text files which contains two type of events, and each can be identified by a string
Ex :
line 1 : XXXX XX XXX ENVXXXXXXXXXXX
line 2 : XXXXXXXXXXORDXXXX XXX XXXXX
line 3 : XXXXXXXXXXORDXXXX XXX XXXXX
etc...
What I'm trying to do is to find a way to extract fields according to each type of event.
I've came up with two fields extractors, one for the line that contains "ENV", and one for "ORD", each contain a regex to extract the information I want.
However, I don't understand how to use them properly yet.
Is there a way to tell Splunk that if it finds lines that contains "ENV", then apply extractor X, otherwise extractor Y ?
Thanks for your help
Yes, it depends on how you write your regular expression. In fact, I find this easiest to do by editing props.conf directly
[yoursourcetypehere]
EXTRACT-e1=^\d+\s\d+\s(?<field1>\d+)ENV
EXTRACT-e2=ORD(?<field2>\d{4})
With these extractions, only events that match the first pattern (which includes "ENV") will have field1, and only events that match the second pattern (including "ORD") will contain field2
You can make your regular expressions as complex as they need to be, in order to match exactly and only the data you want. Also, you can have a single EXTRACT line that extracts multiple fields at once. But I often find it is easier to write each field extraction separately, as I have done here, especially when the patterns are different.
Yes, it depends on how you write your regular expression. In fact, I find this easiest to do by editing props.conf directly
[yoursourcetypehere]
EXTRACT-e1=^\d+\s\d+\s(?<field1>\d+)ENV
EXTRACT-e2=ORD(?<field2>\d{4})
With these extractions, only events that match the first pattern (which includes "ENV") will have field1, and only events that match the second pattern (including "ORD") will contain field2
You can make your regular expressions as complex as they need to be, in order to match exactly and only the data you want. Also, you can have a single EXTRACT line that extracts multiple fields at once. But I often find it is easier to write each field extraction separately, as I have done here, especially when the patterns are different.