Solved: inputs.conf configuration for key value pair

dbcase · ‎05-17-2018

Hi,

I have the below data that I will be importing into splunk. Id like to be able to delimit based on the FIRST (and ONLY the first) colon in the line. How would I go about doing this?

Name: HD Front Driveway
    IP: 0.0.0.0
    ID: 11
    Mac: D4:21:22:C9:B4:62
    FW Ver: 3.0.02.51
    Manufacturer: iControl
    Model: iCamera2-C
    Video Size: LARGE
    Verified: true
    RSSI:  dB
    Supported Video Formats: [MJPEG, FLV, RTSP]
    Supported Video Codecs: [H264, MPEG4]
    FLV URL:
    MJPEG URL:
    API Version: 3.3
    MotionTurnedOn: true
    MotionSensitivy: 1 (LOW)
    Local Video Aspect Ratio: 16:9
    Local Video Resolution: 1280:720
    Remote Video Aspect Ratio: 16:9
    Remote Video Resolution: 1280:720

xpac · ‎05-18-2018

As an alternative - the answer from @richgalloway creates index-time extractions - this would be a working config for search-time extractions:

props.conf

[yoursourcetype]
REPORT-multifields = yoursourcetype-multifields

transforms.conf

[yoursourcetype-multifields]
REGEX = \s*([^:]+):(.*)[\r\n]
FORMAT = $1::$2

I shamelessly copied the regex from @somesoni2's comment 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

xpac · ‎05-18-2018

As an alternative - the answer from @richgalloway creates index-time extractions - this would be a working config for search-time extractions:

props.conf

[yoursourcetype]
REPORT-multifields = yoursourcetype-multifields

transforms.conf

[yoursourcetype-multifields]
REGEX = \s*([^:]+):(.*)[\r\n]
FORMAT = $1::$2

I shamelessly copied the regex from @somesoni2's comment 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

richgalloway · ‎05-17-2018

Try these settings. You'll need more, like TIME_PREFIX, etc., but these should handle the parsing.

props.conf:

[mysourcetype]
TRANSFORM-foo = foo

transforms.conf:

[foo]
REGEX = (?<_KEY_>[^:]+):\s*(?<_VAL_>[^\n]+)

---
If this reply helps you, Karma would be appreciated.

niketn · ‎05-17-2018

@richgalloway, I had something similar but Empty Key displaces the regular expression ie. line 13 and 14 in the question:

 FLV URL:
 MJPEG URL:

Following is the regex I was using: https://regex101.com/r/6JmpLF/1

\s+([^:]+):\s+(.+)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

somesoni2 · ‎05-17-2018

This should work (making the values optional)

REGEX = \s*(?<_KEY_>[^:]+):(?<_VAL_>.*)[\r\n]

https://regex101.com/r/6JmpLF/3

somesoni2 · ‎05-17-2018

What have you tried so far?

dbcase · ‎05-17-2018

well that is a fair question. I've not actually tried anything yet but I did look at KV_MODE=True but it appears that uses "=" as the delimiter and I wasn't sure how to change it. Then I'm looking at multiple ":" in a single line and thats where it went out of my ballpark.

inputs.conf configuration for key value pair

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!