<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Extracting fields from a simple KV input in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Extracting-fields-from-a-simple-KV-input/m-p/59450#M11713</link>
    <description>&lt;P&gt;I'm a trying to index multi line key value (KV) data from a TCP input. I have full control of the input so I can modify it any way, this is hove it looks at the moment:&lt;/P&gt;

&lt;P&gt;Id             = '1657'&lt;BR /&gt;
Timestamp      = '2011-03-14 13:28:01'&lt;BR /&gt;
ApplicationId  = 'My Test Application'&lt;BR /&gt;
Severity       = 'INFO'&lt;BR /&gt;
User           = 'George'&lt;BR /&gt;
UserContext    = 'Server5\George'&lt;BR /&gt;
Message        = 'File: C:\temp\MyFile.txt Deleted'&lt;/P&gt;

&lt;P&gt;I want logs to be indexed and searchable by the keys above. At the moment the source type is set to 'tcp' and I can't filter searches on e.g. 'Message'.&lt;/P&gt;

&lt;P&gt;Is there a existing source type that I can use? 
Or
How do a create a new one and/or set up field extractions etc?&lt;/P&gt;

&lt;P&gt;//A novice&lt;/P&gt;</description>
    <pubDate>Tue, 15 Mar 2011 23:41:00 GMT</pubDate>
    <dc:creator>magnuspenilsson</dc:creator>
    <dc:date>2011-03-15T23:41:00Z</dc:date>
    <item>
      <title>Extracting fields from a simple KV input</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extracting-fields-from-a-simple-KV-input/m-p/59450#M11713</link>
      <description>&lt;P&gt;I'm a trying to index multi line key value (KV) data from a TCP input. I have full control of the input so I can modify it any way, this is hove it looks at the moment:&lt;/P&gt;

&lt;P&gt;Id             = '1657'&lt;BR /&gt;
Timestamp      = '2011-03-14 13:28:01'&lt;BR /&gt;
ApplicationId  = 'My Test Application'&lt;BR /&gt;
Severity       = 'INFO'&lt;BR /&gt;
User           = 'George'&lt;BR /&gt;
UserContext    = 'Server5\George'&lt;BR /&gt;
Message        = 'File: C:\temp\MyFile.txt Deleted'&lt;/P&gt;

&lt;P&gt;I want logs to be indexed and searchable by the keys above. At the moment the source type is set to 'tcp' and I can't filter searches on e.g. 'Message'.&lt;/P&gt;

&lt;P&gt;Is there a existing source type that I can use? 
Or
How do a create a new one and/or set up field extractions etc?&lt;/P&gt;

&lt;P&gt;//A novice&lt;/P&gt;</description>
      <pubDate>Tue, 15 Mar 2011 23:41:00 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extracting-fields-from-a-simple-KV-input/m-p/59450#M11713</guid>
      <dc:creator>magnuspenilsson</dc:creator>
      <dc:date>2011-03-15T23:41:00Z</dc:date>
    </item>
    <item>
      <title>Re: Extracting fields from a simple KV input</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extracting-fields-from-a-simple-KV-input/m-p/59451#M11714</link>
      <description>&lt;P&gt;First, I would suggest changing the log format slightly to:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;2011-03-14 13:28:00
Id="1657"
ApplicationId="My Test Application"
Severity="INFO"
User="George"
UserContext="Server5\George"
Message="File: C:\temp\MyFile.txt Deleted"
...
...
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;secondly, to specify a sourcetype for your data you can then edit inputs.conf to:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;inputs.conf
[tcp://12345]
sourcetype = SomeName
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Fri, 29 Apr 2011 20:04:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extracting-fields-from-a-simple-KV-input/m-p/59451#M11714</guid>
      <dc:creator>Ledion_Bitincka</dc:creator>
      <dc:date>2011-04-29T20:04:57Z</dc:date>
    </item>
  </channel>
</rss>

