I have this log event:
2013-02-01 17:23:46,877 query id=a0e22777-2aaf-4486-9a56-fd1dae24bb82{
"start" : 1,
"returned" : 0,
"count" : 0
}query
I need to index the same log event in splunk as follow:
{
"query_time" : "2013-02-01 17:23:46,877",
"id" : a0e22777-2aaf-4486-9a56-fd1dae24bb82,
"start" : 1,
"returned" : 0,
"count" : 0
}
Is there a way to do it using transforms.conf and props.conf:?
Thanks,
Lp
I took a different approach to solve the problem. I extracted the json portion of the log event using a regex. Then, I was able to use spath without any problem.
Thanks,
Lp
Yes, sed to the rescue: http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Anonymizedatausingconfigurationfiles#Through_...
Something along these lines, untested:
SEDCMD-foo = s/([0-9- :,]+)\s+query\s+id=([0-9a-f]+){(.*)}query/{"query_time":"\1","id":"\2",\3}/
Thanks Martin. I am going to tested this week.
Lp
Beware, the sed may occur after the timestamp extraction, verify your timestamp in splunk.