extracting fields field name: field value

mcbradford · ‎02-12-2013

Is there a simple way to have splunk assign field names based on ":"? For example, Splunk does a good job of picking up the field name if the format is...

myfield=testvalue

I have the following tyoe of log entry and I want to report on the fields. I do not want to define/extract each field.

Event message: A configuration error has occurred.

Event time: 2/12/2013 4:08:20 PM

Event time (UTC): 2/12/2013 9:08:20 PM

Event ID: e60329dcbe45472593eba4629aa020ae

Event sequence: 84

Event occurrence: 3

Event detail code: 0

Application information:

Application domain: /dadadadadad
Trust level: Full

Application Virtual Path: /

Application Path: D:\Web\dadadada\

Ayn · ‎02-12-2013

Something like this should do it.

In props.conf

[yoursourcetype]
REPORT-cextract = extractdelimitedfields

In transforms.conf

[extractdelimitedfields]
REGEX = (?m)^([^:]+): (.+?)$
FORMAT = $1::$2

mcbradford · ‎02-13-2013

When I added the information above, I ended up with a field that contained basically all the information within the event???? The field name was so long, I could not read it.

props.conf

[WinEventLog:Application]
REPORT-cextract = extractdelimitedfields

transforms.conf

[extractdelimitedfields]
REGEX = (?m)^([^:]+): (.+?)$
FORMAT = $1::$2

extracting fields field name: field value

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!