Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using DELIMS with a string instead of single character

restevan
New Member
‎05-29-2017 11:37 AM

Hi,

I'm forwarding from an proxy logs using NX-log and nxlog is using string "#011" to separate fields, like that:

May 29 20:28:55 PROXY - 10.147.23.21#011anonymous#011Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36#0112017-05-29#01118:28:44#011WBCNGTY02#011-#011login.splunk.com#01154.191.103.192#011443#0110#0117408#0112032#011SSL-tunnel#011-#011login.splunk.com:443#011-#011Inet#0110#011Navigate#011Req ID: 05543040; Compression: client=No, server=No, compress rate=0% decompress rate=0%#011Internal#011Internal#0110x8#011Allowed#011-#011-#011-#011-#011Allowed#011Malware Inspection Disabled for the Matching Policy Rule#011Unknown#011-#0110#011-#0110#011-#011-#011Feature disabled#011Web Proxy#011login.splunk.com#0119958#015

I've created in my transforms.conf the following:

  DELIMS = "\#"
    FIELDS = "c-ip","cs-username","c-agent","date","time","s-computername","cs-referred","r-host","r-ip","r-port","time-taken","sc-bytes","cs-bytes","cs-protocol","s-operation","cs-uri","cs-mime-type","s-object-source","sc-status","rule","FilterInfo","cs-network","sc-network","error-info","action","AuthenticationServer","NIS_scan_result","NIS_signature","ThreatName","MalwareInspectionAction","MalwareInspectionResult","UrlCategory","MalwareInspectionContentDeliveryMethod","MalwareInspectionDuration","MalwareInspectionThreatLevel","internal-service-info","NIS_application_protocol","NAT_address","UrlCategorizationReason","SessionType","UrlDestHost","s-port"

And it works but it's not ok because every field value has at its begining the string "011".

Is there a way to specify a field delimiter that is not a single character but a string?
I've tried the following

DELIMS = "\#011"
FIELDS = "c-ip","cs-username","c-agent","date","time","s-computername","cs-referred","r-host","r-ip","r-port","time-taken","sc-bytes","cs-bytes","cs-protocol","s-operation","cs-uri","cs-mime-type","s-object-source","sc-status","rule","FilterInfo","cs-network","sc-network","error-info","action","AuthenticationServer","NIS_scan_result","NIS_signature","ThreatName","MalwareInspectionAction","MalwareInspectionResult","UrlCategory","MalwareInspectionContentDeliveryMethod","MalwareInspectionDuration","MalwareInspectionThreatLevel","internal-service-info","NIS_application_protocol","NAT_address","UrlCategorizationReason","SessionType","UrlDestHost","s-port"

But that seems not to work.
May be there is another way of doing what I need.
Any help?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎05-29-2017 07:16 PM

I would change the #011 to pipes with sedcmd in props.

SEDCMD-fixdelims= s/#011/|/g

Then I would use pipes as the delims.

Or I would use REGEX and FORMAT in transforms.conf if you only want this to work at search time / not manipulate the data at all. However that will be a bit more challenging.

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎05-29-2017 07:16 PM

I would change the #011 to pipes with sedcmd in props.

SEDCMD-fixdelims= s/#011/|/g

Then I would use pipes as the delims.

Or I would use REGEX and FORMAT in transforms.conf if you only want this to work at search time / not manipulate the data at all. However that will be a bit more challenging.

Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-30-2017 06:33 AM

Excellent!. @restevan - please mark answer as accepted.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-29-2017 07:22 PM

You could do it like this but it's laborious:

 REGEX=(?<field1>.+)\#011(?<field2>.+)\#011....
0 Karma
Reply
Solved! Jump to solution

restevan
New Member
‎05-30-2017 12:19 AM

Hi @jkat54, that's exactly what I would like to avoid 🙂

Your suggestion worked fine! Just a little detail for the record and future references.
In prop.conf I had to put:

[my_new_sourcetype]
REPORT-TMG_over_nxlog=TMG_over_nxlog
SEDCMD-fixdelims= s/#011/|/g
SEDCMD-fixNXlogHeader= s/PROXY \-/PROXY |/g

The second SEDCMD is to reflect the header added by nxlog to each TMG log.
And in transform.conf that:

[TMG_over_nxlog]
DELIMS = "\|"
FIELDS = "nxlog-header","c-ip","cs-username","c-agent","date","time","s-computername","cs-referred","r-host","r-ip","r-port","time-taken","sc-bytes","cs-bytes","cs-protocol","s-operation","cs-uri","cs-mime-type","s-object-source","sc-status","rule","FilterInfo","cs-network","sc-network","error-info","action","AuthenticationServer","NIS_scan_result","NIS_signature","ThreatName","MalwareInspectionAction","MalwareInspectionResult","UrlCategory","MalwareInspectionContentDeliveryMethod","MalwareInspectionDuration","MalwareInspectionThreatLevel","internal-service-info","NIS_application_protocol","NAT_address","UrlCategorizationReason","SessionType","UrlDestHost","s-port"

And restart splunk.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-30-2017 05:56 AM

Sweet then! I love it when folks can take my suggestion and "run with it". If you feel I helped you solve the answer, then feel free to mark mine as the answer. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...