Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
Splunk equivalent of the *nix 'cut -d' ' -f1-5
Hello,
I just started playing with splunk. I looked thru the docs and unable to find any commands that allow me to do the *nix equivalent of 'cut -d' ' -f1,5'
Any comments appreciated
Thanks
Harish
I just started playing with splunk. I looked thru the docs and unable to find any commands that allow me to do the *nix equivalent of 'cut -d' ' -f1,5'
Any comments appreciated
Thanks
Harish
Views: 27
Replies to This Discussion
-
Permalink Reply by Michael Wilde on -
Harish..
Are you attempting to do field extraction---a well written regex should be able to reproduce what you want... Got a sample? Post it and we'll see if we can figure it out.
-
Permalink Reply by harish on -
Micheal
I search for "SiteWS" and get the below event
"Timestamp: 11/12/2009 2:09:41 PM Title: (SiteWS) Message: [@SiteIdService getWebServiceResult()] [SessionID: 5wrjjxk0osv33k] [TheNewCustomer: CustomerId=51234567888&OrderId=bf8130a6-d916-4fd4-b2d2-c48624&AccountFlag=True&UserName=test] [Ticks: 128201781] [Took: 0 milliseconds] Called Write() on the request stream to [SiteUrl: http://test.com/v2/services/calculate]"
Now, I need to get the "Took: 0 milliseconds" and the "http://test.com/v2/services/calculate"
Thanks
Harish
-
Permalink Reply by Michael Wilde on
-
You may want to give the "Extract Fields" option on the event menu (right next to each event's timestamp. It will build a regex for you and persist it--so its always extracted...
However, if you're event structure is basically the same for every event. This should work (at search time). Let me know and i will show you how to persist it
SiteUrl | rex "\[\S+(?[^\]]*)\] \[\S+(?[^\]]*)\] \[\S+(?[^\]]*)\] \[\S+(?[^\]]*)\] \[\S+(?[^\]]*)\s\w+\][^\[]*\[\S+(?[^\]]*)\]"
In a nutshell, rex is a search command that lets you temporarily extract fields at search time using regex -- but if you're not a regex ninja, use that Field Extract thing i mentioned.
And watch my video on "All My Regexs Live in Texas". It may be helpful.
© 2012 Created by Michael Wilde.
