Splunk Search

Extract variable number of fields

grist
New Member

I have a Smarts Audit Log that I am trying to do a search time field extraction for. Most of the lines are fairly regularly formatted using tabs (\t) as a seperator.

The problem I have is that while most of the lines have 8 fields, there are some that only have 5 and I'm not sure how to deal with that so they can all live happily in the same report. I've read a few of the suggested fixes but they seem to rely on there being a particular description field to tailor different regexes to different line formats. Mine just come up short if the fields aren't there.

Any suggestions or pointers gratefully accepted. 🙂

0 Karma

Simeon
Splunk Employee
Splunk Employee

You can have multiple extractions occur against different types of events for a specific sourcetype. This is not uncommon. The key here is that you must find a way to differentiate the lines that only have 5 fields. If it is formatted differently, that will be pretty straightforward. If it is formatted with only delimiters, then you can create a regex that operates on 5 values instead of 8. Posting a data sample will allow others to help further.

0 Karma

grist
New Member

The only difference between the lines is the number of fields. They are all tab separated so it's pretty easy to split them with a regex.

I'll have a go with 2 regexes. I'm thinking I need to so something like what's described in the first answer to http://splunk-base.splunk.com/answers/23274/parsing-variable-fields-in-a-log-file but I'm not 100% on how to do it so all the results will show in the same search.

0 Karma

MarioM
Motivator

if you could post an example of your log that would be helpful

Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...