Splunk Enterprise

transforms.conf - Parsing KVP pairs using DELIMS

jgreen1
Engager

This is a sample Oracle syslog below. Anybody know if it is possible to parse the string below following the LENGTH parameter using DELIMS? The object would be to avoid picking up each corresponding length of each value that is specified in the brackets following each key?

LENGTH: "353" SESSIONID:[7] "5544703" ENTRYID:[1] "1" ...

1 Solution

Ron_Naken
Splunk Employee
Splunk Employee

If you want to do this as a search-time KV extraction, it would be very simple to use the following RegEx to separate your KV pairs:

PROPS.CONF:
[mysourcetype]
REPORT-mysourcetype = xf-kv

TRANSFORMS.CONF:
[xf-kv]
REGEX  = (?<_KEY_1>[^ ]+):(\[\d+\])?\s"(?<_VAL_1>[^ ]+)"

This will yield the following fields, based on your sample data, above:

LENGTH = 353
SESSIONID = 5544703
ENTRYID = 1

This removes the [count], the quotes, and enumerates the fields in a very simple way.

HTH
Ron

View solution in original post

Ron_Naken
Splunk Employee
Splunk Employee

If you want to do this as a search-time KV extraction, it would be very simple to use the following RegEx to separate your KV pairs:

PROPS.CONF:
[mysourcetype]
REPORT-mysourcetype = xf-kv

TRANSFORMS.CONF:
[xf-kv]
REGEX  = (?<_KEY_1>[^ ]+):(\[\d+\])?\s"(?<_VAL_1>[^ ]+)"

This will yield the following fields, based on your sample data, above:

LENGTH = 353
SESSIONID = 5544703
ENTRYID = 1

This removes the [count], the quotes, and enumerates the fields in a very simple way.

HTH
Ron

Lamar
Splunk Employee
Splunk Employee

Perhaps you should anonymize that data before you index it.

http://www.splunk.com/base/Documentation/4.1.6/Admin/Anonymizedatawithsed

If that data doesn't matter to you it might behoove you to not index, just sayin...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...