transformation of the logs

Jananee_iNautix · ‎11-28-2013

Hi,
I was given logs of certain format and now i want to output the logs in different format.Below is the sample logs given
2013/11/22 00:03:21 [therws] User activity containing filename abc.txt
2013/11/22 00:03:21 [tergs] User activity containing filename cde.csv

I should extract fields from the above logs and output them in splunk following format as events.

Fri November 22 00:03:21 2013 threws abc.txt a

a is for ascii
b is for binary

Can this be done in splunk?The transformation of logs should take place not at search time.

yannK · ‎11-28-2013

At search time or at index time ?

At search time, you can extract all your fields, with rex and use a simple eval to create the needed field.
And when you export, use another eval to format/concatenate your events with all the fields, in the order you want

Please provide your props and transforms to understand what was done.

Jananee_iNautix · ‎11-28-2013

In props.conf i created a new sourcetype involving transformation part in it.
In transform.conf I didn give the regex pattern yet waiting for your answer to give a try.

Jananee_iNautix · ‎11-28-2013

I want at index time.

transformation of the logs

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!