Solved: How to extract field values from a log record incl... - Splunk Community

Getting Data In

hi all,

we have data records like

posLabel=monitoring field posData=51.02 55.56 msg=xxxx

where variables' content include blanks.

my questions:

how can I advise splunk to include the entire string (incl. blanks)
to a variable. in this example, to assign "monitoring field" to variable
posLabel and "51.02 55.56" to posData?
is there any escape character defined to prevent that a "=" character
in my data becomes interpreted as a new variable namen?
for example, in case of "posData=x=5,y=9 " the value of posData
should be "x=5,y=9", and no x and y variables should become created.

thanks for any link or sample code.

best, and thanks to all
Caspar

1 Solution

Solution

Like this:

props.conf:

[mySourceType]
TRANSFORMS-mySourceType = mySourceTypeKVPs

transforms.conf:

[mySourceTypeKVPs]
REGEX = ([^\s\=]+)=([^=]*)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = 1

View solution in original post

Solution

Like this:

props.conf:

[mySourceType]
TRANSFORMS-mySourceType = mySourceTypeKVPs

transforms.conf:

[mySourceTypeKVPs]
REGEX = ([^\s\=]+)=([^=]*)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = 1

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...