hi,
i have some logs contain values separate by #.
exemple :
charlie#2016-10-11#125.44.23.10#Mozzila#resolvedTest#1#12
my objectif is to add new fields :
name = charlie
date = 2016-10-11
ip = 125.44.23.10
ua = Mozzila
status = resolvedTest
acted = 1
numact = 12
the separator is #
but how can i edit the configuration
Hi sfatnass,
Index your logs and create a custom sourcetype, for example, named mylogs. Then create custom search-time field extraction:
Edit $SPLUNKHOME/etc/apps/search/local/props.conf:
[mylogs]
REPORT-mylogs = mylogs
Edit $SPLUNKHOME/etc/apps/search/local/transforms.conf:
[mylogs]
DELIMS = "#"
FIELDS = name date ip ua status acted numact
Reload your configuration files through http://your_splunk_web_url:8000/en-US/debug/refresh , and your logs will have the correct fields extracted.
Hope it helps. Thanks!
Hunter
Try this:
props.conf
[ mysourcetype ]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
TIME_FORMAT=%Y-%m-%d
TIME_PREFIX=\w+\#
MAX_TIMESTAMP_LOOKAHEAD=10
REPORT-mylogs = mylogs_fields
transforms.conf
[mylogs_fields]
DELIMS = "#"
FIELDS = "name","date","ip","ua","status","acted","numact"
Bye.
Giuseppe
You could use the Interactive Field Extractor to extract these fields. Select the delim option and use #
as the delimiter. You will then have an opportunity to name all the fields that are extracted.