Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

can we have a uniqueID for two field extractions

rakesh_498115
Motivator
‎06-26-2012 07:06 AM

Hi ,

Actually i have two events in the output like this...

event 1

......
...
......

User Message

......
....
......

Application Message

......
......
.....

event 2 :

........
...........
.......

User Message

.........
....
....
.
..

Now my question i need to create a field extraction for Message . in which i am interested only for UserMessage and SystemMessage ..So I have created two rex expressions like this...

rex field=_raw "<.?System.?\s+<.?Search_Message>(?[^<])<"
rex field=_raw "<.?UI.?\s+<.?Search_Message>(?[^<])<"

and my query is something like this ..

sourcetype="A" |rex field=_raw "<.?System.?\s+<.?Search_Message>(?[^<])<" |rex field=_raw "<.?UI.?\s+<.?Search_Message>(?[^<])<" | search Search_Message="User Message" | table Search_Message

This Query is working fine..But its taking too long time...so my question can i create two rex expressions like wat i created jus above using the field extractions in splunk ?? and can i make this query run faster ..plz help

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎06-26-2012 08:32 AM

Try this

sourcetype=A "User Message" OR "System Message"
| rex field=_raw  "\<message\>(?P<Search_Message>.*?)\</message\>" 
| where Search_Message="User Message" or Search_Message="System Message"
| table Search_Message

Or if you only want User Messages, then this

sourcetype=A "User Message" 
| rex field=_raw  "\<message\>(?P<Search_Message>.*?)\</message\>" 
| where Search_Message="User Message"
| table Search_Message

This should be faster, because you are first selecting only events that have the string "User Message" or "System Message" in them. This should eliminate many unneeded events before Splunk even starts the field extraction. Also, I think your field extraction is more complicated than it needs to be.

0 Karma
Reply

lguinn2
Legend
‎06-26-2012 08:24 AM

The formatting of your question makes it difficult to read. Can you edit the question and change the rex command and the query to "code format"? I can't tell if you meant some of the special characters to be part of your query or if you intended to format the question...

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...