Hi Experts,
I am injecting below logs into splunk using file input.
cs2Label=Original Category Outcome cs3Label=Original Device Product cs4Label=Internal Host cs5Label=Malicious IP Address
After parsing into splunk I can see below output
cs2Label=Original
cs3Label=Original
cs4Label=Internal
cs5Label=Malicious
So from the output it is clear that it is ignoring string after first space . So I tried my own regex and place it in
transform.conf
[abc]
REGEX = (([\w.:\[\]]+)=(.*?(?=(?:\s[\w.:\[\]]+=|$))))
props.conf
[cef]
TRANSFORMS-blah = abc
Still I can see string is missing in all the fields . Please suggest how I can achieve it using props and transform conf.
Thanks
VG
What is the event from? Have you tried using a TA that already has the extractions for the device? Splunk TA Cisco for example if it's a Cisco device? That's the easiest method.
Actually it was just for the learning purpose .I prepare a sample log and feed it to Splunk using file input.My idea was not to use TA and want to extract fields using these 2 confs . May be this TA use props and transform for extraction and I can get some help from that .