Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Simple event parsing question

ehs
New Member
‎01-11-2012 08:33 AM

My log file has tabular (several columns) data that I need to parse. Each element in a row is separated by spaces, and the columns line up:

Event 1:   01-11 22:22    Some_Data    2   ABC
Event 2:   01-11 20:22    Other_Data   0   XYZABC

How can I "tag" each column so that I can search and filter by it. For instance, if I'd like to call the second column TITLE, I then would like to be able to filter for all events where the TITLE="Some_Data"..which should then return Event 1.

Tags (2)
0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎01-11-2012 01:37 PM

Assuming that the data is indexed without the "Event 1:" etc.. prefix :

01-11 22:22    Some_Data    2   ABC
01-11 20:22    Other_Data   0   XYZABC

Then in props.conf you could define a search time extraction like :

[my_sourcetype]
EXTRACT-extract_my_fields = (?<datetime>\d{2}-\d{2}\s\d{2}:\d{2})\s+(?<title>\w+)\s+(?<col3>\w+)\s+(?<col4>\w+)

Note : I've made a few assumptions about the pattern of the column values, hence it's a rather generic regex, but you can tweak it as needed. Also, I didn't know what to name col3 and col4, so put your own keys in.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...