- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- field parsing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
field parsing
Looking for a help to extract fields search time using props.conf from below kind of events
01/20/2020 08:05:07:466 | FATAL | 9425872470 | 67641BMM | | | Edit Client Update | com.nm.cda.editclient.controller.EditClientController:updateEditClient | Edit Client Data | Dept-Div: ld26 | Policy: NA | Entity Type: N | Long Name: Y | Long Address: N | TIN: N | Email: N | Phone: N | Gender: N | DOB: N | Short Name: N | Short Address: N | Delete Alias: N | HH Change: N | User ID: 67215BMM | Logged In User: A2569JH | Dept Div Code: N/A | General Agency: 106
Below is how is the expectation of fields and value
Time = 01/20/2020 08:05:07:466
Error = FATAL
ID = 9425872470
seq = 67641BMM
Action = Edit Client Update
update= com.nm.cda.editclient.controller.EditClientController:updateEditClient
Edit Client Data
Dept-Div = ld26
Policy= NA
Entity Type = N
Long Name = Y
Long Address = N
TIN = N
Email = N
Phone = N
Gender = N
DOB = N
Short Name = N
Short Address = N
Delete Alias = N
HH Change = N
User ID = 67215BMM
Logged In User = A2569JH
Dept Div Code = N/A
General Agency = 106
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a DELIMS based extraction (transforms.conf) to extract the subfields:
[your_transform_rule]
SOURCE_KEY = _raw
DELIMS = "|"
FIELDS = Extracted_time, Error, ..., General_Agency
Then, you'd call that rule from the props.conf of your sourcetype, like this:
[your_sourcetype]
REPORT-extracted_fields = your_transform_rule
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah with delims, i am able to extract the fields but the problem is we have to extract the below part also where bold characters need to considered as field name , i am looking for some regex that can extract this.
User ID: 67215BMM | Logged In User: A2569JH | Dept Div Code: N/A | General Agency: 106
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(?<key>\w[\w ]+(?=\:)): (?<value>[\w\/]+)
$1::$2
like this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my current transforms.conf is shown as below. I need to parse the event based on delimit and second half based on the delimit and colon. please let me know what change i have to make in props or transforms to accommodate both regex and delims, like "| FATAL | "should be assigned to Error field name and | User ID: 67215BMM | should be extracted as User ID as fieldname and 67215BMM as value
DELIMS = "|"
FIELDS = Extracted_time, Error, ..., General_Agency
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
