Skip to main content

Extract New Fields in Splunk

Extract New Fields in Splunk

The process by which Splunk extracts fields from event data and the results of that process, are referred to as extracted fields. Splunk extracts a set of default fields for each event it indexes. You can also create custom fields by defining additional index-time and search-time field extractions, using search commands, the field extractor, or configuration files.

In this article we will see how to extract custom fields from the event data:

In my blog "Configure a universal forwarder to monitor a log file on Linux", we have seen how to configure universal forwarder to monitor the linux server /var/log/messages file. We will use the event data from the same file to extract the message field. As you can see in the left pane of below screenshot that default fields extracted by Splunk does not contain the message field.





Steps to Extract New Field:

  • Click on the "Extract New Fields" link on the bottom left corner of the event data search (as shown in above screenshot).
  • On the new page click on a event to select a sample event.

  • Click on "Next" and Select "Regular Expression"
  • On the next screen, highlight the message part in the sample event. A popup window will come to provide the field name. Type the field name you want to provide. In my case I am giving the field name as "Message"


  • Click on "Next" and Review your extraction. 


  • If some events are still not included due to a little difference in the format, as shown in the below screenshot with red cross in front of them, then add one of them as sample event and provide field name in the popup window with the same name as "Message"


  • Click Validate -> Save -> Finish
  • You should now see the extracted field "Message" in the list of interested fields.


Comments

Post a Comment

Popular posts from this blog

Configure Oracle ASM Disks on AIX

Configure Oracle ASM Disks on AIX You can use below steps to configure the new disks for ASM after the raw disks are added to your AIX server by your System/Infrastructure team experts: # /usr/sbin/lsdev -Cc disk The output from this command is similar to the following: hdisk9 Available 02-T1-01 PURE MPIO Drive (Fibre) hdisk10 Available 02-T1-01 PURE MPIO Drive (Fibre) If the new disks are not listed as available, then use the below command to configure the new disks. # /usr/sbin/cfgmgr Enter the following command to identify the device names for the physical disks that you want to use: # /usr/sbin/lspv | grep -i none This command displays information similar to the following for each disk that is not configured in a volume group: hdisk9     0000014652369872   None In the above example hdisk9 is the device name and  0000014652369872  is the physical volume ID (PVID). The disks that you want to use may have a PVID, but they must not belong to a volume group. PVID must be cleared for
2 comments
Read more

Installing Splunk on AWS EC2 - Red Hat Linux

Installing Splunk on AWS EC2 - Red Hat Linux In this article we will see how to install Splunk on Red Hat Linux using Amazon AWS EC2 instance. We would first need to create a EC2 instance on Amazon AWS. Steps to Create EC2 Instance Login to your AWS console.  Under Services -> Click on EC2 Click on Launch Instance Choose an Amazon Machine Image (AMI). In my case case, I am using "Red Hat Enterprise Linux 8 (HVM)" that is available as free tier. Choose an Instance Type - General purpose - t2.micro, as this is eligible as free tier. Click on Review and Launch In the next step, it will show your EC2 instance configuration. Click on "Launch". Another window will open saying to "Select an existing key pair or create a new key pair". You will need to create a new key pair or choose an existing if you already have one. Key-pair file is a .pem file which is used to connect to your AWS EC2 instance using password less authentication. Download key pair file and C
Post a Comment
Read more

Adding New Disks to Existing ASM Disk Group

Add Disks to Existing ASM Disk Group In this blog I will show how to add new disks to an existing ASM Disk group. This also contains the steps to perform the migration from existing to the new storage system. In order to add the disk to the ASM disk group, you will first need to configure these disk using the operating system commands. I have provided the steps to configure the disks on AIX system in my blog " Configure Oracle ASM Disks on AIX" Adding New Disks to DATA Disk Group (Storage Migration for DATA Disk Group) Login to your ASM instance $ sqlplus / as sysasm If the name of the new disk is in different format from the existing disk, the modify the asm_diskstring parameter to identify the new disks. In my below example /dev/ora_data* is the format of the existing disks and /dev/new_disk* is the naming format of the newly configured disks. You should not modify this parameter unless the naming format changes. SQL> alter system set asm_diskstring = '/dev/ora_data*
Post a Comment
Read more