The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde replied to Nikita's discussion Count failures and success via transaction"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
Extracting fields - first line of a multiline event
Yesterday i was having a problem extracting fields out of an event and i was looking to grab everything up until the end of a line, in the first line of a multiline event.
Goal: Extract the email address & everything after "useq:" but only on the first line. Example "create a field called 'subject' and in this case, it will be Spread Summary.
Sample:
XXSENDMAIL|20090407 12:58:32 PDT|rtprod@mlp.com|useq: Spread Summary
Current Spreads Min / Mean/Median / Max [Std]
1.0129 / 5.4759/4.6458 / 19.6657 [3.2029]
Current Spread in Ticks Min / Mean/Median Max [Std]
1 / 1.3467/1 / 13 [0.99484]
0,20,40,60,80,100th prctile spread(ticks) -> 1|1|1|1|1|13
Splunk can be told to consider the whole entire event in field extraction, or just the first line:
I found success with this transform:
[myfields]
REGEX = (?s)\d+\:\d+\:\d+ \w+\|(\S+)\|useq: ([^\n]*)$
FORMAT = email_address::$1 subject::$2
Note: the (?s) tells splunk, "hey only look on the first line -- s = single line"--and--the dollar sign at the end says "stop at the end of the line".
Worked well.
Goal: Extract the email address & everything after "useq:" but only on the first line. Example "create a field called 'subject' and in this case, it will be Spread Summary.
Sample:
XXSENDMAIL|20090407 12:58:32 PDT|rtprod@mlp.com|useq: Spread Summary
Current Spreads Min / Mean/Median / Max [Std]
1.0129 / 5.4759/4.6458 / 19.6657 [3.2029]
Current Spread in Ticks Min / Mean/Median Max [Std]
1 / 1.3467/1 / 13 [0.99484]
0,20,40,60,80,100th prctile spread(ticks) -> 1|1|1|1|1|13
Splunk can be told to consider the whole entire event in field extraction, or just the first line:
I found success with this transform:
[myfields]
REGEX = (?s)\d+\:\d+\:\d+ \w+\|(\S+)\|useq: ([^\n]*)$
FORMAT = email_address::$1 subject::$2
Note: the (?s) tells splunk, "hey only look on the first line -- s = single line"--and--the dollar sign at the end says "stop at the end of the line".
Worked well.
Views: 23
© 2012 Created by Michael Wilde.
