Hi Guys
Recently I have been dealing with some application logs and met some difficulties with field extraction.
Every fieldname is started with a "#", such as #field1=xxx#field2=yyy#field3=zzz#...
Then splunk extracted fields like: field1="xxx#field2=yyy#field3=zzz". How to tell splunk to threat "#" as a comma or space (means ignore the #) ?
Would someone help me ? Thanks in advance!
The log format is like:
2012-04-16 17:41:27:087 [Inner-Tans-90013849] request:a60061152 102600 #oper_flag=1#user_type=2#user_id_type=1#user_id=1234567#user_pwd=897985d09890f41a4300#login_ip=192.168.1.1#bank_no=0000#net_envionment=2#net_agent=1#
2012-04-16 17:41:27:087 [Inner-Tans-90013849] 1.Start:com.klink.btrs.product.system.imp.T9006
2012-04-16 17:41:27:089 [Inner-Tans-90013849] com.klink.btrs.BtrsException: Invalid Username or password!
2012-04-16 17:41:27:095 [Inner-Tans-10023849] response:a60061152 102600 HJ9999 #rsp_msg=Invalid Username or password!#
Great! Happy Splunking 🙂
Hi Damien,
Thank you!
I added:
[logtest]
DELIMS = "#", "="
in transforms.conf
and added:
[logtest]
REPORT-test = logtest
in props.conf, then it works!!