- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Regex using transforms.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not quite sure if I'm doing this right or going in the right direction. I have a log where the results are a bunch of numbers. Each number represents the time it took for a specific command to run. The first number represents a command, the second number represents another command, etc.
Here's what the line looks like:
2012-01-11 19:00:05+00 | eap.someregistry.net | 5 | 30 | 4 | 21 | 7 | 45 | 11 | 6 | 13 | 2
I have successfully extracted the eap.someregistry.net and labeled it "server". However I want to extract the numbers as well and have them labeled based on the command that they represent.
Example:
5 would be Login
30 would be Delete
4 would be Create
etc.
I was thinking of using transforms.conf and props.conf for this but I'm not quite sure how to go about this. I don't have a ton of experience using these files for this type of extraction.
I'm reading about props and transforms right now but figured I'd ask this question while I read more. What's the best way to go about doing this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can perform a search time named field extraction with something like this in props.conf
Replace the fields names(command1, command2 etc...) with your specific command names
[my_sourcetype]
EXTRACT-extract_my_fields = \|\s(?<command1>\d+)\s\|\s(?<command2>\d+)\s\|\s(?<command3>\d+)\s\|\s(?<command4>\d+)\s\|\s(?<command5>\d+)\s\|\s(?<command6>\d+)\s\|\s(?<command7>\d+)\s\|\s(?<command8>\d+)\s\|\s(?<command9>\d+)\s\|\s(?<command10>\d+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can perform a search time named field extraction with something like this in props.conf
Replace the fields names(command1, command2 etc...) with your specific command names
[my_sourcetype]
EXTRACT-extract_my_fields = \|\s(?<command1>\d+)\s\|\s(?<command2>\d+)\s\|\s(?<command3>\d+)\s\|\s(?<command4>\d+)\s\|\s(?<command5>\d+)\s\|\s(?<command6>\d+)\s\|\s(?<command7>\d+)\s\|\s(?<command8>\d+)\s\|\s(?<command9>\d+)\s\|\s(?<command10>\d+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah this worked great. Thanks....good to know for the future!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So far I've got a monster regex pulling out all of the numbers but I might see about putting this into files...just not sure how to go about doing it..
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
