This is a sample Oracle syslog below. Anybody know if it is possible to parse the string below following the LENGTH parameter using DELIMS? The object would be to avoid picking up each corresponding length of each value that is specified in the brackets following each key?
LENGTH: "353" SESSIONID:[7] "5544703" ENTRYID:[1] "1" ...
If you want to do this as a search-time KV extraction, it would be very simple to use the following RegEx to separate your KV pairs:
PROPS.CONF:
[mysourcetype]
REPORT-mysourcetype = xf-kv
TRANSFORMS.CONF:
[xf-kv]
REGEX = (?<_KEY_1>[^ ]+):(\[\d+\])?\s"(?<_VAL_1>[^ ]+)"
This will yield the following fields, based on your sample data, above:
LENGTH = 353
SESSIONID = 5544703
ENTRYID = 1
This removes the [count], the quotes, and enumerates the fields in a very simple way.
HTH
Ron
If you want to do this as a search-time KV extraction, it would be very simple to use the following RegEx to separate your KV pairs:
PROPS.CONF:
[mysourcetype]
REPORT-mysourcetype = xf-kv
TRANSFORMS.CONF:
[xf-kv]
REGEX = (?<_KEY_1>[^ ]+):(\[\d+\])?\s"(?<_VAL_1>[^ ]+)"
This will yield the following fields, based on your sample data, above:
LENGTH = 353
SESSIONID = 5544703
ENTRYID = 1
This removes the [count], the quotes, and enumerates the fields in a very simple way.
HTH
Ron
Perhaps you should anonymize that data before you index it.
http://www.splunk.com/base/Documentation/4.1.6/Admin/Anonymizedatawithsed
If that data doesn't matter to you it might behoove you to not index, just sayin...