I am working on MS Azure logs and some of the fields are not getting parsed so I tried to use the field extraction in splunk however I am not getting those field parsed after doing all the steps involved in field extraction.
I have tried both regex and delimiter based field extraction.
Appreciate any kind of help on this issue.
This regex string should extract the two fields you mentioned.
(?:[^;]+;){8}(?<storAcctName>[^;]+);(?:[^;]+;){5}(?<ipAddress>[^;]+);
If you want the IP address without port number, use this.
(?:[^;]+;){8}(?<storAcctName>[^;]+);(?:[^;]+;){5}(?<ipAddress>[^:]+):
Hi Rich,
All the fields are getting parsed in the field extractor wizard however they are not showing up in search.
Sumit Kukreja
Hi Rich,
All the fields are getting parsed in the extract field wizard but still not getting them in search.
Sumit Kukreja
Did you save the results of the extract field wizard?
Yes I do save them and I can see them in filed extraction tab.
mscs:storage:blob : EXTRACT-Method,Status,StorageAccount,IPAddress
My save field extraction name.
Sumit Kukreja
I can't explain why it's not working.
Kindly post a sample of the log entries you wish to parse.
Hi Rich,
1.0;20170302T12:56:26.2817264Z;QueryTables;Success;200;6;6;authenticated;StorageAccountName;table;"https://StorageAccountName.table.core.windows.net:443/Tables";"/";xxxxx;0;**IP Address**:62615;2015-07-08;532;0;250;12;0;;;;;;"Azure-Storage/0.32.0 (Python CPython 2.7.11; Windows 2012ServerR2)";;"xxxxxx
I want to parse StorageAccountName & IP Address in the log.
Whats exact generated _raw event , past it here