Is there a simple way to have splunk assign field names based on ":"? For example, Splunk does a good job of picking up the field name if the format is...
myfield=testvalue
I have the following tyoe of log entry and I want to report on the fields. I do not want to define/extract each field.
Event message: A configuration error has occurred.
Event time: 2/12/2013 4:08:20 PM
Event time (UTC): 2/12/2013 9:08:20 PM
Event ID: e60329dcbe45472593eba4629aa020ae
Event sequence: 84
Event occurrence: 3
Event detail code: 0
Application information:
Application domain: /dadadadadad
Trust level: Full
Application Virtual Path: /
Application Path: D:\Web\dadadada\
Something like this should do it.
In props.conf
[yoursourcetype]
REPORT-cextract = extractdelimitedfields
In transforms.conf
[extractdelimitedfields]
REGEX = (?m)^([^:]+): (.+?)$
FORMAT = $1::$2
When I added the information above, I ended up with a field that contained basically all the information within the event???? The field name was so long, I could not read it.
props.conf
[WinEventLog:Application]
REPORT-cextract = extractdelimitedfields
transforms.conf
[extractdelimitedfields]
REGEX = (?m)^([^:]+): (.+?)$
FORMAT = $1::$2