Solved: How to extract field with fieldname starts with a ...

sonicant · ‎04-22-2012

Hi Guys

Recently I have been dealing with some application logs and met some difficulties with field extraction.
Every fieldname is started with a "#", such as #field1=xxx#field2=yyy#field3=zzz#...
Then splunk extracted fields like: field1="xxx#field2=yyy#field3=zzz". How to tell splunk to threat "#" as a comma or space (means ignore the #) ?

Would someone help me ? Thanks in advance!

The log format is like:

2012-04-16 17:41:27:087 [Inner-Tans-90013849] request:a60061152 102600 #oper_flag=1#user_type=2#user_id_type=1#user_id=1234567#user_pwd=897985d09890f41a4300#login_ip=192.168.1.1#bank_no=0000#net_envionment=2#net_agent=1#
2012-04-16 17:41:27:087 [Inner-Tans-90013849] 1.Start:com.klink.btrs.product.system.imp.T9006
2012-04-16 17:41:27:089 [Inner-Tans-90013849] com.klink.btrs.BtrsException: Invalid Username or password！
2012-04-16 17:41:27:095 [Inner-Tans-10023849] response：a60061152 102600 HJ9999 #rsp_msg=Invalid Username or password！#

Damien_Dallimor · ‎04-22-2012

Take a look at the DELIMS property in transforms.conf

Example :

[foo]
DELIMS = "#", "="

View solution in original post

Damien_Dallimor · ‎04-22-2012

Take a look at the DELIMS property in transforms.conf

Example :

[foo]
DELIMS = "#", "="

Damien_Dallimor · ‎04-22-2012

Great! Happy Splunking 🙂

sonicant · ‎04-22-2012

Hi Damien,
Thank you!
I added:
[logtest]
DELIMS = "#", "="
in transforms.conf

and added:
[logtest]
REPORT-test = logtest
in props.conf, then it works!!

How to extract field with fieldname starts with a "#" ?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!