Just playing with rex sed a bit here. I had load balancer log which pops out the data center name. Just thought I would SED the event so that it was in key value format, but it doesn't look like Splunk will extract it as a field. Is there an option I am missing or this normal?
tag=mystuff | rex mode=sed "s/MYDCname/datacenter=MYDCname /g"
Hi
just escape = character like below
tag=mystuff | rex mode=sed "s/MYDCname/datacenter\=MYDCname /g"
verify that MYDCname string is present in a _raw field
If you are trying to modify it BEFORE it gets indexed, you need to put a SEDCMD
in a props.conf on your HF or Indexers:
http://docs.splunk.com/Documentation/Splunk/6.2.8/Data/Anonymizedatausingconfigurationfiles
Providing a sample events and highlighting the value you need to extract as a field will help here. The rex with sed is just to update an existing field value. To create/extract a new field, use regular rex, something like this
tag=mystuff | rex field=yourfield(default is _raw) "(?<datacenter>MYDCname)"