Hello
I have a structured data source that puts out data in a table with headers and a footer row with a total.
I got all the extractions working BUT there is a field called path that may contain spaces:
directory DEFAULT /abc/path/fileservers/xxxd19/acb123 Cost Estimate No 10.00G - 9.00G 292.14M
directory DEFAULT /abc/path/fileservers/xxxd19/A12 No 120.00G - 113.00G 50.549G
The second path works great, extracts properly. The first however truncates "Cost Estimate" because of the space then throws off the rest of the fields.
The props look like this:
[storage:data]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK =
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
FIELD_DELIMITER = whitespace
HEADER_FIELD_LINE_NUMBER = 1
SEDCMD-removeDash = s/---------------------------------------------------------------------------------------------------------//g
SEDCMD-removeDash2 = s/^\-.*$//g
Any ideas on how to make the field include the portion of the path that includes spaces?
Thanks in advance for the help!
You are doing it wrong; use multikv
which uses column-alignment
:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv
Obviously, FIELD_DELIMITER = whitespace
won't work. Let's try a regex transform.
Props.conf:
[storage:data]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK =
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
HEADER_FIELD_LINE_NUMBER = 1
SEDCMD-removeDash = s/---------------------------------------------------------------------------------------------------------//g
SEDCMD-removeDash2 = s/^\-.*$//g
TRANSFORMS-extract = extracter
Transforms.conf:
[extracter]
REGEX = (?<field1>\S+)\s+(?<field2>\S+)\s+(?<path>.+?)\s{2,}(?<field4>\S+)\s+(?<field5>\S+)\s+(?<field6>\S+)\s+(?<field7>\S+)\s+(?<field8>\S+)