Splunk Search

What is the right way of logging data to extract as a custom field?

naveenchappa
New Member

I need to extract the field clientBizId from splunk events. For my application, log events are not indexed properly (see attachment). If I build a regular expression to extract the value of clientBizId, sometimes it may not work properly because of indexing.

alt text

Here I have two options.
1. Correct splunk forwarder or something else to index logs correctly. (I have no idea how to fix it)
2. a right approach to log clientBizId with value, so that it can be easily extracted and works in any case.

I need help on option 2. If I log something like "clientBizId=GMS_USA_company", does it work?

Regards,
Naveen

0 Karma

mayurr98
Super Champion

Hi @naveenchappa

In order to index logs correctly. you need to define props.conf on your indexer /opt/splunk/etc/apps/<app-name>/local/props.conf

[<specify-sourcetype>]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S
DATETIME_CONFIG = 
MAX_TIMESTAMP_LOOKAHEAD = 
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
disabled = false
pulldown_type = true

Save this configuration and restart indexer.
And in order to extract clientBizId=GMS_USA_company you can go to search head UI settings>fields>field extractions>new
provide name sourcetype name and following regex

clientBizId=(|\s)(?P<clientBizId>\w+)

Let me know if this helps !

0 Karma

naveenchappa
New Member

Thanks Mayur for quick response. Regarding first option, we have some challenges to update props.conf file.
So I prefer to try second option.

0 Karma

mayurr98
Super Champion

Yes in order to execute the first option you need to reindex the entire data again.
Try the second option if it works then do acknowledge my answer or if it does not then please let me know.

0 Karma

naveenchappa
New Member

sure Mayur.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...