Splunk Search

Turning a search into a new field

cpeteman
Contributor

The following search removes usernames, host names, all time information, any digits, and turns all strings of white space into a single "_" for the _raw message.

.... |rex mode=sed "s/[a-z]+\d{1,4}//" |rex mode=sed "s/user\s[a-z]+/user /" 
|rex mode=sed "s/(user|USER)=[a-z]+/user=/" |rex mode=sed "s/\d+//g" 
|rex mode=sed "s/(Jan|January|Feb|Febuary|Mar|March|Apr|April|May|Jun|June|Jul|July|Aug|August|Sep|September|Oct|October|Nov|November|Dec|December|Mon|Tue|Wed|Thu|Fri|Sat|Sun|PM|AM|PDT|PST)//g" 
|rex mode=sed "s/\s+/_/g"| rename _raw AS msgdigest |stats count by msgdigest

I would like to be able to have this "digested" message available as a field does anyone know how to turn this into a field. Preferably with the transforms and extraction pages in manager as I'm currently having unrelated problems with props.conf and transforms.conf files. Please help!

Tags (1)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

A workaround is to create a macro and call it after the search.

For the automatic field extractions (rex command), please see
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextrac...
I never tried to use the mode=sed in the configuration file, I couldn't figure if it's possible.

View solution in original post

0 Karma

cpeteman
Contributor

I'm not really sure what you mean. Where am I using this re? and what do I put in the regex expression if I only have a sed expression?

0 Karma

lukejadamec
Super Champion

Did this not work?
Syntax
rex field=

0 Karma

yannK
Splunk Employee
Splunk Employee

A workaround is to create a macro and call it after the search.

For the automatic field extractions (rex command), please see
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextrac...
I never tried to use the mode=sed in the configuration file, I couldn't figure if it's possible.

0 Karma

cpeteman
Contributor

For now a macro seems to be the only option I did manage to avoid my fear in the above comment.

0 Karma

cpeteman
Contributor

A marco would take away the original _raw message, as I have my search now that is. Do you know if that can be avoided?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...