Hi, I have a transform like this - it works fine except when I need to look up a field
[specialLogFile]
REGEX = ^([0-9\.]+) ([0-9\-]*) ([0-9\-]*) (\[[^\]]+\]) ("[^"]+") ([0-9\-]+) ([0-9\-]+) ("[^"]+") ("[^"]+") ([0-9\-]+) ("[^"]+") ([0-9\.]+)
FORMAT = client_ip::$1 user::$2 profile::$3 timestamp::$4 url::$5 http_status::$6 bytes::$7 referer::$8 user_agent::$9 processing_time_ms::$10 userNumber::$11 other_ip::$12
the matching log file entry would be
111.222.333.444 - - [24/Apr/2013:15:47:11 +0200] "GET /somerequest HTTP/1.1" 200 18356 "-" "some quoted useragent" 123 "4418" 222.333.444.555
My problem is when I want to use a look-up table with a userNumber, the CSV is converted by Splunk into a number, regardless of quotes in the CSV or not.
Can you please help me change ("[^"]+") to whatever it takes to become a non-quoted number so I can have a CSV with
userNumber email username
4418, someone@somewhere.com,Fred
and be able to match the userNumber from CSV to the extracted log file field at search time
Thanks
Could you not just put the quotation marks outside the capture group? Skipping the first 10 fields in the example below.
REGEX= ... "([^"]+)" ([0-9.]+)
/K
Could you not just put the quotation marks outside the capture group? Skipping the first 10 fields in the example below.
REGEX= ... "([^"]+)" ([0-9.]+)
/K
Thanks, that was it.