Hi All,
I am new to Splunk.
I have informatica log.i have uploaded into splunk.when i am searching i am getting 5 fields.
in that 5 fields i have _raw field that contains all the fields that i want in my Report.
_time host sourcetype source _raw
6 6/28/12 7:09:35.000 AM NODE_DEV Informatica S_M_O1_HR_APPL_ASSIGN_EXTRACT.txt 2012-06-28 07:09:35 : INFO : (28947 | DIRECTOR) : (IS | Integration_Service_Dev) : NODE_DEV : CMN_1740 : Table: [SQ_IRC_ASSIGNMENT_STATUSES] (Instance Name: [SQ_IRC_ASSIGNMENT_STATUSES]) Output Rows [5497], Affected Rows [5497], Applied Rows [5497], Rejected Rows [0]
_raw field contains Instance Name,Output Rows,Affected Rows,Applied Rows,Rejected Rows.
My requirement is i want Instance Name,Output Rows,Affected Rows,Applied Rows,Rejected Rows to be displayed as seperate fields in my report.
Please suggest me the Solve.
Reply ASAP.
Thanks and Regards
Kiran Kumar
See http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample
Once you have your fields defined you can simply report on them in a tabular fashion:
... | table _time, InstanceName,OutputRows,AffectedRows,AppliedRows,RejectedRows
Or create sophisticated charts and reports
... | stats sum(OutputRows) by InstanceName