hi all,
we have data records like
posLabel=monitoring field posData=51.02 55.56 msg=xxxx
where variables' content include blanks.
my questions:
how can I advise splunk to include the entire string (incl. blanks)
to a variable. in this example, to assign "monitoring field" to variable
posLabel and "51.02 55.56" to posData?
is there any escape character defined to prevent that a "=" character
in my data becomes interpreted as a new variable namen?
for example, in case of "posData=x=5,y=9 " the value of posData
should be "x=5,y=9", and no x and y variables should become created.
thanks for any link or sample code.
best, and thanks to all
Caspar
Like this:
[mySourceType]
TRANSFORMS-mySourceType = mySourceTypeKVPs
[mySourceTypeKVPs]
REGEX = ([^\s\=]+)=([^=]*)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = 1
Like this:
[mySourceType]
TRANSFORMS-mySourceType = mySourceTypeKVPs
[mySourceTypeKVPs]
REGEX = ([^\s\=]+)=([^=]*)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = 1