Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
Extracting fields - first line of a multiline event
Yesterday i was having a problem extracting fields out of an event and i was looking to grab everything up until the end of a line, in the first line of a multiline event.
Goal: Extract the email address & everything after "useq:" but only on the first line. Example "create a field called 'subject' and in this case, it will be Spread Summary.
Sample:
XXSENDMAIL|20090407 12:58:32 PDT|rtprod@mlp.com|useq: Spread Summary
Current Spreads Min / Mean/Median / Max [Std]
1.0129 / 5.4759/4.6458 / 19.6657 [3.2029]
Current Spread in Ticks Min / Mean/Median Max [Std]
1 / 1.3467/1 / 13 [0.99484]
0,20,40,60,80,100th prctile spread(ticks) -> 1|1|1|1|1|13
Splunk can be told to consider the whole entire event in field extraction, or just the first line:
I found success with this transform:
[myfields]
REGEX = (?s)\d+\:\d+\:\d+ \w+\|(\S+)\|useq: ([^\n]*)$
FORMAT = email_address::$1 subject::$2
Note: the (?s) tells splunk, "hey only look on the first line -- s = single line"--and--the dollar sign at the end says "stop at the end of the line".
Worked well.
Goal: Extract the email address & everything after "useq:" but only on the first line. Example "create a field called 'subject' and in this case, it will be Spread Summary.
Sample:
XXSENDMAIL|20090407 12:58:32 PDT|rtprod@mlp.com|useq: Spread Summary
Current Spreads Min / Mean/Median / Max [Std]
1.0129 / 5.4759/4.6458 / 19.6657 [3.2029]
Current Spread in Ticks Min / Mean/Median Max [Std]
1 / 1.3467/1 / 13 [0.99484]
0,20,40,60,80,100th prctile spread(ticks) -> 1|1|1|1|1|13
Splunk can be told to consider the whole entire event in field extraction, or just the first line:
I found success with this transform:
[myfields]
REGEX = (?s)\d+\:\d+\:\d+ \w+\|(\S+)\|useq: ([^\n]*)$
FORMAT = email_address::$1 subject::$2
Note: the (?s) tells splunk, "hey only look on the first line -- s = single line"--and--the dollar sign at the end says "stop at the end of the line".
Worked well.
Views: 9
© 2012 Created by Michael Wilde.
