- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex using transforms.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not quite sure if I'm doing this right or going in the right direction. I have a log where the results are a bunch of numbers. Each number represents the time it took for a specific command to run. The first number represents a command, the second number represents another command, etc.
Here's what the line looks like:
2012-01-11 19:00:05+00 | eap.someregistry.net | 5 | 30 | 4 | 21 | 7 | 45 | 11 | 6 | 13 | 2
I have successfully extracted the eap.someregistry.net and labeled it "server". However I want to extract the numbers as well and have them labeled based on the command that they represent.
Example:
5 would be Login
30 would be Delete
4 would be Create
etc.
I was thinking of using transforms.conf and props.conf for this but I'm not quite sure how to go about this. I don't have a ton of experience using these files for this type of extraction.
I'm reading about props and transforms right now but figured I'd ask this question while I read more. What's the best way to go about doing this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can perform a search time named field extraction with something like this in props.conf
Replace the fields names(command1, command2 etc...) with your specific command names
[my_sourcetype]
EXTRACT-extract_my_fields = \|\s(?<command1>\d+)\s\|\s(?<command2>\d+)\s\|\s(?<command3>\d+)\s\|\s(?<command4>\d+)\s\|\s(?<command5>\d+)\s\|\s(?<command6>\d+)\s\|\s(?<command7>\d+)\s\|\s(?<command8>\d+)\s\|\s(?<command9>\d+)\s\|\s(?<command10>\d+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can perform a search time named field extraction with something like this in props.conf
Replace the fields names(command1, command2 etc...) with your specific command names
[my_sourcetype]
EXTRACT-extract_my_fields = \|\s(?<command1>\d+)\s\|\s(?<command2>\d+)\s\|\s(?<command3>\d+)\s\|\s(?<command4>\d+)\s\|\s(?<command5>\d+)\s\|\s(?<command6>\d+)\s\|\s(?<command7>\d+)\s\|\s(?<command8>\d+)\s\|\s(?<command9>\d+)\s\|\s(?<command10>\d+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah this worked great. Thanks....good to know for the future!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So far I've got a monster regex pulling out all of the numbers but I might see about putting this into files...just not sure how to go about doing it..
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
