- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Problem with hyphen delimited sourcetype and space...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've got some logs that are in a format like this
2013-12-29 08:23:21,151 - INFO - 1.1.1.1 - None - None - SERVER1 - User keynote@test.com logged in... - Mozilla/4.0 (compatible; MSIE 8.0; Webmetrics; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
as you can see the field delimiter here is " - " (including the spaces). When I setup my custom sourcetype and field extractions using
DELIMS=" - "
it seems to be ignoring the spaces and breaking the fields at the first "-" rather than " - ". I'm getting "2013" as my first field rather than "2013-12-29 08:23:21,151"
I've tried using DELIMS="\s-\s" and that doesn't seem to work either.
Anyone have any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DELIMS is not a regular expression, it is a list of breaking characters. The hyphen was a poor choice by the author of your log file, as it is not just a breaking character but a valid character for part of a field. Splunk doesn't do well with "sometimes it means this and sometimes it means that" -- but you can always use regular expressions.
This will probably work:
[extractYourFields]
REGEX =,.*?\s-\s(?:(.*?)\s-\s)*(.*?)
FORMAT = first::$1 second::$2 third::$3
where first, second, and third are the names of the fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DELIMS is not a regular expression, it is a list of breaking characters. The hyphen was a poor choice by the author of your log file, as it is not just a breaking character but a valid character for part of a field. Splunk doesn't do well with "sometimes it means this and sometimes it means that" -- but you can always use regular expressions.
This will probably work:
[extractYourFields]
REGEX =,.*?\s-\s(?:(.*?)\s-\s)*(.*?)
FORMAT = first::$1 second::$2 third::$3
where first, second, and third are the names of the fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I was able to get a regex extract for my sourcetype to work. Not the optimal solution, but it will work. I completely agree the hyphen was a poor choice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will it work if you do this
DELIMS="\ -\ "
Quoting the spaces might make Splunk see them...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was afraid that this wouldn't work. Oh well, see next answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope, same behavior, delimits on the first "-" and not " - "
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
