- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Mixed Multivalued Field Extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having some issues pulling fields out of some particularly strange logging statements, kind of a mix of multivalued and traditional.
For Example:
10/08/2013 23:00:00 INFO: | INF|SVC|TASK|1233212123|something happened when ip=128 and stranger=asdf
I need to pull out the following fields:
Field 1: field1=INF
Field 2: field2=SVC
Field 3: field3=TASK
Field 4: field4=1233212123
Field 5: ip=128
Field6: stranger=asdf
Thoughts???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't see the multivaluedness here. From your description, it seems like you just want to extract some fields. Some are pipe-delimited, others are key=value.
Assuming that the event format does not change, I would probably use an EXTRACT in props.conf for the pipe-delimited stuff, and let splunk handle the key=value part automatically.
props.conf
[your sourcetype here]
EXTRACT-blah = ^[^\|]+\|\s+(?<field1>[^\|]+)\|(?<field2>[^\|]+)\|(?<field3>[^\|]+)\|(?<field4>[^\|]+)\|
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you're welcome. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked, Awesome.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't see the multivaluedness here. From your description, it seems like you just want to extract some fields. Some are pipe-delimited, others are key=value.
Assuming that the event format does not change, I would probably use an EXTRACT in props.conf for the pipe-delimited stuff, and let splunk handle the key=value part automatically.
props.conf
[your sourcetype here]
EXTRACT-blah = ^[^\|]+\|\s+(?<field1>[^\|]+)\|(?<field2>[^\|]+)\|(?<field3>[^\|]+)\|(?<field4>[^\|]+)\|
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which field contains ip and stranger? If the other fields exist,then the remaining text must be in some other field.
Or, are you saying that none of the fields are extracted and you need to use | as a delimiter with a multi extraction from the last field.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
