Hi all.
i have a complex audit log from sap that after parsing looks like:
2AUW20150601081201001213100012Bc FILE1 /BL/TASK_SCHEDULER 8872/BL/TASK_SCHEDULER&
In SAP "rare world" the first field has the info about programs and returns, for example, the first 4 characters are the kind of operation
2AUW = report.
I am using the definition mentioned in this site:
http://scn.sap.com/thread/3298688
Splunk doesn't do a default field extraction after parsing. How i can "split" the first field in subfields (counting characters) I mean:
1.) First 4 characters are the kind of report.
2.) Other 6 characters the date.
etc (the table with the values is included)
alt text
Any suggest? Thanks!
You do it like this:
... | rex field=MultiField "(?<First4CharField>.{4})(?<Second4CharField>.{4})(?<Third4CharField>.{4})(?<Fourth4CharField>.{4})"
You do it like this:
... | rex field=MultiField "(?<First4CharField>.{4})(?<Second4CharField>.{4})(?<Third4CharField>.{4})(?<Fourth4CharField>.{4})"
@woodcock, this works:
rex field=_raw "(?<First4CharField>.{4})(?<Second4CharField>.{4})(?<Third4CharField>.{4})(?<Fourth4CharField>.{4})"
How i can set permanently?
Thanks!
You put it into config files on your search head like this:
props.conf:
[mysourcetype]
REPORT-fields-by-column-position = fields-by-column-position
transforms.conf:
[fields-by-column-position]
REGEX = (.{4})(.{4})(.{4})(.{4})
FORMAT = First4CharField::$1 Second4CharField::$2 Third4CharField::$3 Fourth4CharField::$4
Don't forget to "Accept" my answer.
In your FORMAT line:
FORMAT = First4CharField::$1Second4CharField::$2 Third4CharField::$3 Fourth4CharField::$4
You forgot the spaces or doesn't matter?
Yes, use spaces (cut and paste error).
Thanks, i will test. How i can set it permanently? The field extraction is made one by one, right?
Thanks @woodcock, doesn't work. Any other suggestion?