I am having some issues pulling fields out of some particularly strange logging statements, kind of a mix of multivalued and traditional.
For Example:
10/08/2013 23:00:00 INFO: | INF|SVC|TASK|1233212123|something happened when ip=128 and stranger=asdf
I need to pull out the following fields:
Field 1: field1=INF
Field 2: field2=SVC
Field 3: field3=TASK
Field 4: field4=1233212123
Field 5: ip=128
Field6: stranger=asdf
Thoughts???
I don't see the multivaluedness here. From your description, it seems like you just want to extract some fields. Some are pipe-delimited, others are key=value.
Assuming that the event format does not change, I would probably use an EXTRACT in props.conf for the pipe-delimited stuff, and let splunk handle the key=value part automatically.
props.conf
[your sourcetype here]
EXTRACT-blah = ^[^\|]+\|\s+(?<field1>[^\|]+)\|(?<field2>[^\|]+)\|(?<field3>[^\|]+)\|(?<field4>[^\|]+)\|
Hope this helps,
K
you're welcome. 🙂
Worked, Awesome.
Thanks!
I don't see the multivaluedness here. From your description, it seems like you just want to extract some fields. Some are pipe-delimited, others are key=value.
Assuming that the event format does not change, I would probably use an EXTRACT in props.conf for the pipe-delimited stuff, and let splunk handle the key=value part automatically.
props.conf
[your sourcetype here]
EXTRACT-blah = ^[^\|]+\|\s+(?<field1>[^\|]+)\|(?<field2>[^\|]+)\|(?<field3>[^\|]+)\|(?<field4>[^\|]+)\|
Hope this helps,
K
Which field contains ip and stranger? If the other fields exist,then the remaining text must be in some other field.
Or, are you saying that none of the fields are extracted and you need to use | as a delimiter with a multi extraction from the last field.