Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract New Fields

bogdan_nicolesc
Communicator
‎11-18-2021 05:35 AM

Hi there,

 

I'm trying so hard to do a new field in Splunk, but i don't know where i do "wrongs".

I would like to extract "Log Closed" or just "Log" from event, but when i do, i get all kind of other results other than what i want.

I tried with extract and require.

On the extract end i get a mixed variety of results, most of them with no relation to what i look for.

On the require end, when i select all correct lines, i cannot press Next button as it is grayed out. And i have no other clue what to do next.

My question is: What path should i take to get "Log Closed" or just "Log" from the event "2021-11-18 02:19:04.291 - Thread: 1 -> Log Closed" to make a new field. I would like to make a new Field as i have a "Log Started" and a "Log Closed".

I tried even too look at the regex, but i understand none of it, exept i know that \n is new line.

The regex is: ^[^>\n]*>\s+(?P<LogClosed>\w+\s+\w+)

Thank you.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-19-2021 12:02 AM 
(?P<Log>Log (Started|Closed))

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-18-2021 06:01 AM

Use regex101.com to test the regex - it gives you a breakdown of what the regex means

In your case, if you simply want a field called LogClosed with the value "Log Closed" in and you are not interested in any other string, you could simply use this regex

(?P<LogClosed>Log Closed)
0 Karma
Reply
Solved! Jump to solution

bogdan_nicolesc
Communicator
‎11-18-2021 02:24 PM

Thank you very much @ITWhisperer.

Why is not showing this when checking the regex, but instead is showing me some mambo jumbo?

Also, how do i add "Log Started" to this (?P<LogClosed>Log Closed).

I tried something like this (?P<Log>Log Started)|(Log Closed) but i get only the "Log Started".

What i want in the end is to make a pivot of time when "event" occurred and  "Log Started" "Log Closed", and get a list of "Log Started" "Log Closed" listed by time ... if it makes sense to you what i want to describe.

 

So having 2 fields, one called "Log Started" and the other "Log Closed", i don't think is going to work. In my head i get a reference of windows logs where there are codes for various events. And that "code" have multiple numbers, but if i tell splunk what code should look for, works like a charm.

Anyway ... I hope i was clear enough to understand and i look forward for your reply. 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-19-2021 12:02 AM 
(?P<Log>Log (Started|Closed))
Reply
Solved! Jump to solution

bogdan_nicolesc
Communicator
‎11-19-2021 07:33 AM

Hi @ITWhisperer ,

 

Where or how do you learn this stuff?

I mean, i know there is info out there somewhere, but how do you put things together, or how do they say connect the dots.

 

I'm asking because even if i tried to use regex101.com, was not that obvious choise to use this form.

Anyway ... Thank you so much.

Where do i send beer? :))

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-19-2021 07:51 AM

regex101.com is a great resource - trial and error goes a long way for learning this stuff - you can probably find other resources too, https://www.regular-expressions.info/ has a pretty comprehensive tutorial for example.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...