Skip to main content

Extract New Fields in Splunk

Extract New Fields in Splunk

The process by which Splunk extracts fields from event data and the results of that process, are referred to as extracted fields. Splunk extracts a set of default fields for each event it indexes. You can also create custom fields by defining additional index-time and search-time field extractions, using search commands, the field extractor, or configuration files.

In this article we will see how to extract custom fields from the event data:

In my blog "Configure a universal forwarder to monitor a log file on Linux", we have seen how to configure universal forwarder to monitor the linux server /var/log/messages file. We will use the event data from the same file to extract the message field. As you can see in the left pane of below screenshot that default fields extracted by Splunk does not contain the message field.





Steps to Extract New Field:

  • Click on the "Extract New Fields" link on the bottom left corner of the event data search (as shown in above screenshot).
  • On the new page click on a event to select a sample event.

  • Click on "Next" and Select "Regular Expression"
  • On the next screen, highlight the message part in the sample event. A popup window will come to provide the field name. Type the field name you want to provide. In my case I am giving the field name as "Message"


  • Click on "Next" and Review your extraction. 


  • If some events are still not included due to a little difference in the format, as shown in the below screenshot with red cross in front of them, then add one of them as sample event and provide field name in the popup window with the same name as "Message"


  • Click Validate -> Save -> Finish
  • You should now see the extracted field "Message" in the list of interested fields.


Comments

Post a Comment

Popular posts from this blog

Configure Oracle ASM Disks on AIX

Configure Oracle ASM Disks on AIX You can use below steps to configure the new disks for ASM after the raw disks are added to your AIX server by your System/Infrastructure team experts: # /usr/sbin/lsdev -Cc disk The output from this command is similar to the following: hdisk9 Available 02-T1-01 PURE MPIO Drive (Fibre) hdisk10 Available 02-T1-01 PURE MPIO Drive (Fibre) If the new disks are not listed as available, then use the below command to configure the new disks. # /usr/sbin/cfgmgr Enter the following command to identify the device names for the physical disks that you want to use: # /usr/sbin/lspv | grep -i none This command displays information similar to the following for each disk that is not configured in a volume group: hdisk9     0000014652369872   None In the above example hdisk9 is the device name and  0000014652369872  is the physical volume ID (PVID). The disks that you want to use may have a PVID, but they must not belong to a volu...
2 comments
Read more

Gitlab installation steps on Redhat Linux

In this blog we will see the steps to install Gitlab on Redhat Enterprise Linux 6. I will be using the virtual machine "gitserver" that I have created on Google Cloud. You can use any server or VM running RHEL 6 and follow these steps. Follow the below steps to install gitlab. Run these steps as root user. # yum install -y curl policycoreutils-python openssh-server cronie # lokkit -s http -s ssh  # yum install postfix  # service postfix start  # chkconfig postfix on  # curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh | sudo bash  # EXTERNAL_URL="http://34.69.44.142" yum -y install gitlab-ee  You will see a screen similar to below, once your gitlab installation is successful. You can now access the gitlab console using the http or https url that you provided during the installation, i.e., http://<ip/server_name> http://gitserver.localdomain.com or  http://34.69.44.142 When you open the c...
2 comments
Read more

Load records from csv file in S3 file to RDS MySQL database using AWS Data Pipeline

 In this post we will see how to create a data pipeline in AWS which picks data from S3 csv file and inserts records in RDS MySQL table.  I am using below csv file which contains a list of passengers. CSV Data stored in the file Passenger.csv Upload Passenger.csv file to S3 bucket using AWS ClI In below screenshot I am connecting the RDS MySQL instance I have created in AWS and the definition of the table that I have created in the database testdb. Once we have uploaded the csv file we will create the data pipeline. There are 2 ways to create the pipeline.  Using "Import Definition" option under AWS console.                    We can use import definition option while creating the new pipeline. This would need a json file which contains the definition of the pipeline in the json format. You can use my Github link below to download the JSON definition: JSON Definition to create the Data Pipeline Using "Edit Architect" ...
1 comment
Read more