Extract Fields at runtime in Splunk

For instance, to extract the time in this raw log (note that raw logs get stored in _raw field in splunk), into a dynamic field time, use this: rex field=_raw "(?ms).*match everything after this(?<mapToThisField>.*).*" | table mapToThisField.

FOR COUNT STATS USE:

*Exception* | rex field=_raw "(?ms).*Exception(?<EType>.*).*" | stats count by EType | sort - count

Input: Time taken: 300

Output: 300

PS: In above regex, the (?ms) are search modifiers for:

  • m (PCRE_MULTILINE): When this modifier is set, the “start of line” and “end of line” constructs match immediately following or immediately before any newline in the subject string, respectively, as well as at the very start and end. 
  • s (PCRE_DOTALL): If this modifier is set, a dot metacharacter in the pattern matches all characters, including newlines. 

here are all the modifiers: http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s