- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Extract fields during source type creation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have log file that has combination of plain text and key value pairs separated by "|". How can i extract all the fields from log. below is the sample data I'm trying to index.
01/16/2017 11:09:15|SNMPv2c|hostname|IP address|0|sonusNodeServerCongestionNotification|sysUpTime : 98677211|snmpTrapOID : sonusNodeServerCongestionNotification|sonusShelfIndex : 1|sonusSlotIndex : 5|sonusOverloadLevel : 1|sonusEventDescription : Shelf 1 slot 5 card congestion level 1.|sonusEventClass : 1|sonusEventLevel : 2|sonusSequenceId : 57031|sonusEventTime : 1484582955|sonusSequenceEpoch : 41|hostID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can add following on your Search Head
props.conf
[YourSourceType]
REPORT-getfields = extract_kv_pairs
transforms.conf
[extract_kv_pairs]
DELIMS = "|", ":"
Restart Splunk after making change.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can add following on your Search Head
props.conf
[YourSourceType]
REPORT-getfields = extract_kv_pairs
transforms.conf
[extract_kv_pairs]
DELIMS = "|", ":"
Restart Splunk after making change.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesonie Thanks and it works. I would like to extract the first 5 fields and provide FIELD-NAME to them. how can i do that ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YOu need to setup field extraction in props.conf like this.
props.conf
[YourSourceType]
REPORT-getfields = extract_kv_pairs
EXTRACT-firstfive = ^(?<fieldname1>[^\|]+)\|(?<fieldname2>[^\|]+)\|(?<fieldname3>[^\|]+)\|(?<fieldname4>[^\|]+)\|(?<fieldname5>[^\|]+)\|
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It helped. Thanks.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
