Splunk Search

Mixed Multivalued Field Extraction

brianjbrady
Engager

I am having some issues pulling fields out of some particularly strange logging statements, kind of a mix of multivalued and traditional.

For Example:

10/08/2013 23:00:00 INFO:   |   INF|SVC|TASK|1233212123|something happened when ip=128 and stranger=asdf

I need to pull out the following fields:

Field 1: field1=INF

Field 2: field2=SVC

Field 3: field3=TASK

Field 4: field4=1233212123

Field 5: ip=128

Field6: stranger=asdf

Thoughts???

Tags (2)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

I don't see the multivaluedness here. From your description, it seems like you just want to extract some fields. Some are pipe-delimited, others are key=value.

Assuming that the event format does not change, I would probably use an EXTRACT in props.conf for the pipe-delimited stuff, and let splunk handle the key=value part automatically.

props.conf

[your sourcetype here]
EXTRACT-blah = ^[^\|]+\|\s+(?<field1>[^\|]+)\|(?<field2>[^\|]+)\|(?<field3>[^\|]+)\|(?<field4>[^\|]+)\|

Hope this helps,

K

View solution in original post

kristian_kolb
Ultra Champion

you're welcome. 🙂

0 Karma

brianjbrady
Engager

Worked, Awesome.
Thanks!

0 Karma

kristian_kolb
Ultra Champion

I don't see the multivaluedness here. From your description, it seems like you just want to extract some fields. Some are pipe-delimited, others are key=value.

Assuming that the event format does not change, I would probably use an EXTRACT in props.conf for the pipe-delimited stuff, and let splunk handle the key=value part automatically.

props.conf

[your sourcetype here]
EXTRACT-blah = ^[^\|]+\|\s+(?<field1>[^\|]+)\|(?<field2>[^\|]+)\|(?<field3>[^\|]+)\|(?<field4>[^\|]+)\|

Hope this helps,

K

lukejadamec
Super Champion

Which field contains ip and stranger? If the other fields exist,then the remaining text must be in some other field.
Or, are you saying that none of the fields are extracted and you need to use | as a delimiter with a multi extraction from the last field.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...