Hi,
i have a written DirXML driver that audits specific attributes that change and write syslog using log4j. The format i emply is always {attribute:nameOfAttribute} {qualified-src-dn:valueofqualifiedSrcDn} etc. So I am trying to generate a regex to take
any occurance of {x:y} and treat x as fieldname and y as value in field of name x.
I had no luck using the interactive log extractor. Also complicating things is that the DN has plenty of "dangerous" characters for a regex.
Any help is aprechiated. Oh the format i employ is inspired by XDAS. I can modify the format if it makes i easier but i figured using {} would make it easier.
Try: {([^:].+?):([^}].+?)}
$1 will be your key and $2 will be your value.
The regex works on my sample data see http://regexr.com?30mep however i get no fields in splunk when i use it as a inline regex. Is there a way in splunk 4.3 and up to do it inline?
ok, the second one seems to work nice enough. Thanks
Don't do this in the interactive field extractor. You'll have to do it in manager or the config file. I don't the IFE can handle dynamic field names. The regex {(?<_KEY_1>[^:]*):(?<_VAL_1>[^}]*)}
should also work.
also i might add i strive to have the value of $1 as the fieldname in splunk named as such and not as group named "1". Does that make sense?
Looks nice... i get
Invalid regex: no named extraction at position 0 (i.e., "{([^:].+?)..."). Expected "(?P