Skip to main content

Extract New Fields in Splunk

Extract New Fields in Splunk

The process by which Splunk extracts fields from event data and the results of that process, are referred to as extracted fields. Splunk extracts a set of default fields for each event it indexes. You can also create custom fields by defining additional index-time and search-time field extractions, using search commands, the field extractor, or configuration files.

In this article we will see how to extract custom fields from the event data:

In my blog "Configure a universal forwarder to monitor a log file on Linux", we have seen how to configure universal forwarder to monitor the linux server /var/log/messages file. We will use the event data from the same file to extract the message field. As you can see in the left pane of below screenshot that default fields extracted by Splunk does not contain the message field.





Steps to Extract New Field:

  • Click on the "Extract New Fields" link on the bottom left corner of the event data search (as shown in above screenshot).
  • On the new page click on a event to select a sample event.

  • Click on "Next" and Select "Regular Expression"
  • On the next screen, highlight the message part in the sample event. A popup window will come to provide the field name. Type the field name you want to provide. In my case I am giving the field name as "Message"


  • Click on "Next" and Review your extraction. 


  • If some events are still not included due to a little difference in the format, as shown in the below screenshot with red cross in front of them, then add one of them as sample event and provide field name in the popup window with the same name as "Message"


  • Click Validate -> Save -> Finish
  • You should now see the extracted field "Message" in the list of interested fields.


Comments

Post a Comment

Popular posts from this blog

Configure Oracle ASM Disks on AIX

Configure Oracle ASM Disks on AIX You can use below steps to configure the new disks for ASM after the raw disks are added to your AIX server by your System/Infrastructure team experts: # /usr/sbin/lsdev -Cc disk The output from this command is similar to the following: hdisk9 Available 02-T1-01 PURE MPIO Drive (Fibre) hdisk10 Available 02-T1-01 PURE MPIO Drive (Fibre) If the new disks are not listed as available, then use the below command to configure the new disks. # /usr/sbin/cfgmgr Enter the following command to identify the device names for the physical disks that you want to use: # /usr/sbin/lspv | grep -i none This command displays information similar to the following for each disk that is not configured in a volume group: hdisk9     0000014652369872   None In the above example hdisk9 is the device name and  0000014652369872  is the physical volume ID (PVID). The disks that you want to use may have a PVID, but they must not belong to a volu...
2 comments
Read more

Adding New Disks to Existing ASM Disk Group

Add Disks to Existing ASM Disk Group In this blog I will show how to add new disks to an existing ASM Disk group. This also contains the steps to perform the migration from existing to the new storage system. In order to add the disk to the ASM disk group, you will first need to configure these disk using the operating system commands. I have provided the steps to configure the disks on AIX system in my blog " Configure Oracle ASM Disks on AIX" Adding New Disks to DATA Disk Group (Storage Migration for DATA Disk Group) Login to your ASM instance $ sqlplus / as sysasm If the name of the new disk is in different format from the existing disk, the modify the asm_diskstring parameter to identify the new disks. In my below example /dev/ora_data* is the format of the existing disks and /dev/new_disk* is the naming format of the newly configured disks. You should not modify this parameter unless the naming format changes. SQL> alter system set asm_diskstring = '/dev/ora_data*...
Post a Comment
Read more

Load records from csv file in S3 file to RDS MySQL database using AWS Data Pipeline

 In this post we will see how to create a data pipeline in AWS which picks data from S3 csv file and inserts records in RDS MySQL table.  I am using below csv file which contains a list of passengers. CSV Data stored in the file Passenger.csv Upload Passenger.csv file to S3 bucket using AWS ClI In below screenshot I am connecting the RDS MySQL instance I have created in AWS and the definition of the table that I have created in the database testdb. Once we have uploaded the csv file we will create the data pipeline. There are 2 ways to create the pipeline.  Using "Import Definition" option under AWS console.                    We can use import definition option while creating the new pipeline. This would need a json file which contains the definition of the pipeline in the json format. You can use my Github link below to download the JSON definition: JSON Definition to create the Data Pipeline Using "Edit Architect" ...
1 comment
Read more