- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do extract fields beginning from the end of a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a simple request 🙂 For a certain syslog source, I need to extract the 3rd word beginning from the end of a line. That's all. In a regular regex, the following works:
(\S*)[ ]\S*[ ]\S*$
And this matches correctly the SEVERE_ERROR and NORMAL_EVENT on the following lines:
Nov 25 13:55:04 x.x.x.x Nov 25 13:55:01 ProxySG: 310000 CFSSL:SSL_accept error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca(0) SEVERE_ERROR ../cf_ssl.cpp 1573
Nov 25 13:47:49 x.x.x.x Nov 25 13:47:47 ProxySG: 90000 NTP: Periodic query of server x.x.x.x, time within acceptable variance, 0 seconds, 8 ms fast compared to NTP time.(0) NORMAL_EVENT ../ntp.cpp 683
However, how do I translate this into Splunk? When I try the Interactive Field Extractor, it always wants to start from the beginning of a line and I can't seem to get the correct Splunked regex for this field 😞
Any help is greatly appreciated 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can add the regex-extraction to the props.conf file. Eg. $SPLUNK_HOME/etc/system/local/props.conf or in the app you want that extraction $SPLUNK_HOME/etc/apps/<app>/local/props.conf
[syslog]
EXTRACT-some-fields = ProxySG.+\s+(?<severity>\w+) (?<source_file>\S+) (?<line_no>\d+)$
severity, source_file and line_no are the example field names. Splunk uses PCRE named groups to define the fieldname for extractions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can add the regex-extraction to the props.conf file. Eg. $SPLUNK_HOME/etc/system/local/props.conf or in the app you want that extraction $SPLUNK_HOME/etc/apps/<app>/local/props.conf
[syslog]
EXTRACT-some-fields = ProxySG.+\s+(?<severity>\w+) (?<source_file>\S+) (?<line_no>\d+)$
severity, source_file and line_no are the example field names. Splunk uses PCRE named groups to define the fieldname for extractions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Done & thanks again 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might want to accept the answer, if it was helpful 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You! That did the trick 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've modified the regex. This one should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I appreciate your help very much ;), but this does not seem to work...
While source_file and line_no are correctly extracted, I get "T" & "R" as severity in my log files. These correspond to the last letter of NORMAL_EVENT and SEVERE_ERROR respectively...
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
