best field extraction regex for custom log format

dominiquevocat · ‎09-14-2011

Hi,

i have a written DirXML driver that audits specific attributes that change and write syslog using log4j. The format i emply is always {attribute:nameOfAttribute} {qualified-src-dn:valueofqualifiedSrcDn} etc. So I am trying to generate a regex to take
any occurance of {x:y} and treat x as fieldname and y as value in field of name x.

I had no luck using the interactive log extractor. Also complicating things is that the DN has plenty of "dangerous" characters for a regex.

Any help is aprechiated. Oh the format i employ is inspired by XDAS. I can modify the format if it makes i easier but i figured using {} would make it easier.

stephanbuys · ‎09-14-2011

Try: {([^:].+?):([^}].+?)}

$1 will be your key and $2 will be your value.

dominiquevocat · ‎04-18-2012

The regex works on my sample data see http://regexr.com?30mep however i get no fields in splunk when i use it as a inline regex. Is there a way in splunk 4.3 and up to do it inline?

dominiquevocat · ‎09-14-2011

ok, the second one seems to work nice enough. Thanks

gkanapathy · ‎09-14-2011

Don't do this in the interactive field extractor. You'll have to do it in manager or the config file. I don't the IFE can handle dynamic field names. The regex {(?<_KEY_1>[^:]*):(?<_VAL_1>[^}]*)} should also work.

dominiquevocat · ‎09-14-2011

also i might add i strive to have the value of $1 as the fieldname in splunk named as such and not as group named "1". Does that make sense?

dominiquevocat · ‎09-14-2011

Looks nice... i get
Invalid regex: no named extraction at position 0 (i.e., "{([^:].+?)..."). Expected "(?Ppattern)"

best field extraction regex for custom log format

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life