Can you help me with a problem I'm having parsing ...

TitanAE · ‎09-28-2018

I'm new to parsing fields in splunk. And, in truth, I'm not great at regex yet. I'm trying to parse an event in Splunk like this.

[ EVENT_NUMBER = 4768 ]

That way my selected field is Event_Number and the value is 4768. I'm considering 2 options:

Parsing the field with regex. But once that's accomplished i'm not sure what config types I'd need in Splunk.
Identifying the field with a simple parse/transfrom config. Again not sure what I need to accomplish this.

Any advice on the best course of action is appreciated.

TitanAE

gcusello · ‎09-29-2018

Hi TitanAE,
try to use the Splunk Field Extractor that guides you in field extraction without knowing Regexes.

You can access it in an easy way:

run a search,
identify an event wher there's the field you want to extract,
on this event, click on the ">" button on "i" column,
click on Event actions button and Extract Fields option,
Splunk opens a new window,
click on "Regular Expressions" button and then on "Next" button,
using your mouse select the value you want to extract,
add the field name and click on "Add extraction" button,,
check results and then "Next",
che if you need some exclusion and then "Next",
save your field (I suggest always in App),
"Finish"
usually you need ro reload page to have the field and don't fear if you don't see it immediately it needs a few time to be ready.

Bye.
Giuseppe

P.S. I suggest to study regexes: when you'll know them you'll use only them (personal experience)!

Can you help me with a problem I'm having parsing fields?