Hi,
I have a log file consisting of log entries with the following format:
data time source message_type optional_qualifier param1, param2,...,param_n
The parameters value only (i.e. not of the type name=value). What would be the easiest way to extract parameter number 3 or 4 and assign them to a field?
Dotan
Several ways to do it. Using Transforms.conf with delim option.
Or use ondemand rex. http://docs.splunk.com/Documentation/Splunk/6.1.4/Admin/transformsconf
Several ways to do it. Using Transforms.conf with delim option.
Or use ondemand rex. http://docs.splunk.com/Documentation/Splunk/6.1.4/Admin/transformsconf
This is very high level example:
Sample log: 2012-10-20 15:23:59 abc123|cyz234|xaycvbd|sedghyrd|scvbdg|10002345000
In my Transforms.conf, this would be the entry
[MyStanza]
DELIMS = "|"
FIELDS = "F001","F002","F003"
And then,add ref in
Props.conf
[MyFields]
REPORTS-foo = MyStanza.
Results, you should have F001 = abc123, F002=cyz234 and so on....
Hope this is what you're looking for.
Thanks,
Raghav
Thank you, do you have a step by step process for doing so? I am a bit confused about what needs to be done in what order.
Dotan