We have cases such as the ldap audit log file -
dn: dc=<domain name>,dc=com
changetype: modify
replace: ds-sync-state
ds-sync-state: 0000016557BC19A55A110000004D
ds-sync-state: 0000016557BC93E3543100000048
ds-sync-state: 0000016557BC4A5858E300000045
ds-sync-state: 0000016557BCAC641C9300000045
ds-sync-state: 0000016557BCC49E1FF500000045
ds-sync-state: 0000016557BC7AD379F900000065
ds-sync-state: 0000016557BCDCD62ABB00000045
ds-sync-state: 0000016527034D6B075D00000001
ds-sync-state: 0000016557BC629E14FF00000090
ds-sync-state: 0000016557BC3205396F00000049
Is there a way to define the colon to be a name value pair separator? as obviously, none of these fields is being automatically extracted.
Yes, I think you can define a DELIMS based extraction in transforms.conf, specifying that key/value pairs are separated by newline and key is separated from value by colon. Or apply a regex based extraction using something like ([^:]+):\s+([^\r\n]+)
with FORMAT = $1::$2
. I think that second option is how Splunk_TA_windows does it.
Yes, I think you can define a DELIMS based extraction in transforms.conf, specifying that key/value pairs are separated by newline and key is separated from value by colon. Or apply a regex based extraction using something like ([^:]+):\s+([^\r\n]+)
with FORMAT = $1::$2
. I think that second option is how Splunk_TA_windows does it.
Thank you @FrankVl.