https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332777#M61560 <P>can you share sample data after it was decoded? (in plain text)</P> Tue, 18 Apr 2017 12:37:39 GMT adonio 2017-04-18T12:37:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332776#M61559 <P>I have used translatefix to decode the fix messages logs and it worked fine. But Splunk is not able to automatically extract key-value pairs. I don't want to write extract kvdelims and pairdelims in each search. How can I automatically extract key-values using configuration files</P> <P>My Original data:<BR /> 19:14:59.338308 outgoing: 8=FIX.4.X|9=12|35=0|34=123456|49=ABC1|52=20170406-23:14:59.338|56=XYZ1|10=123|</P> <P>After using translatefix as command:<BR /> index=abc sourcetype=xyz | translatefix<BR /> data is decoded as:</P> <P>19:14:59.338308 outgoing: BeginString=FIX.4.X BodyLength=12 MsgType=Heartbeat MsgSeqNum=123456 SenderCompID=ABC1 SendingTime=20170406-23:14:59.338 TargetCompID=XYZ1 CheckSum=123</P> <P>To extract key value pair I have to use extract command in search like below:</P> <P>ndex="abc" sourcetype=xyz | translatefix | extract pairdelim=" " kvdelim="=" . <BR /> Is there any way I can configure to extract automatically using conf files (props.conf, transforms.conf). So I dont have to write extract in each search query and data is extracted automatically. </P> <P>I tried using delims and regex (\w+)=([^[\s]+) in transforms.conf. It worked for original data but not working after using translatefix command.</P> Tue, 18 Apr 2017 10:24:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332776#M61559 isha_rastogi 2017-04-18T10:24:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332777#M61560 <P>can you share sample data after it was decoded? (in plain text)</P> Tue, 18 Apr 2017 12:37:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332777#M61560 adonio 2017-04-18T12:37:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332778#M61561 <P>Yes Sure. </P> <P>My Original data:<BR /> 19:14:59.338308 outgoing: 8=FIX.4.X|9=12|35=0|34=123456|49=ABC1|52=20170406-23:14:59.338|56=XYZ1|10=123|</P> <P>After using translatefix as command:<BR /> index=abc sourcetype=xyz | translatefix<BR /> data is decoded as:</P> <P>19:14:59.338308 outgoing: BeginString=FIX.4.X BodyLength=12 MsgType=Heartbeat MsgSeqNum=123456 SenderCompID=ABC1 SendingTime=20170406-23:14:59.338 TargetCompID=XYZ1 CheckSum=123</P> <P>To extract key value pair I have to use extract command in search like below:</P> <P>ndex="abc" sourcetype=xyz | translatefix | extract pairdelim=" " kvdelim="=" . <BR /> Is there any way I can configure to extract automatically using conf files (props.conf, transforms.conf)</P> Tue, 18 Apr 2017 13:28:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332778#M61561 isha_rastogi 2017-04-18T13:28:21Z https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332779#M61562 <P>In the props.conf (on the search head or wherever users log in), add the following:</P> <PRE><CODE>[xyz] KV_MODE = auto </CODE></PRE> <P>And the key-value pairs (separated by <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span> will be extracted. You do not need the transforms.conf.</P> Tue, 18 Apr 2017 15:38:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332779#M61562 lguinn2 2017-04-18T15:38:19Z https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332780#M61563 <P>Tried to put KV_MODE =auto. No success :(. ( Tried on new indexed data)</P> Wed, 19 Apr 2017 06:20:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332780#M61563 isha_rastogi 2017-04-19T06:20:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332781#M61564 <P>Okay, I gave a dumb answer because I didn't realize that you are using translatefix inline. If you are reformatting the data on the fly (which is how translatefix works), you can't put the field extractions in props.conf or transforms.conf based on the NEW format.</P> <P>However, you can certainly add the field extractions based on the original/stored format. Of course, in the original format, you don't get the "real" field names, instead you get weird names like "10" and "56." To make the names pretty, you would need to do a bunch of renames, which doesn't really help either.</P> <P>I suggest a macro. Let's call it <CODE>infixed_xyz()</CODE> and let the body of the macro be</P> <PRE><CODE>sourcetype=xyz | translatefix | extract pairdelim=" " kvdelim="=" </CODE></PRE> <P>now you can write a search like this</P> <PRE><CODE>index=abc `infixed_xyx` | where TargetCompID=XYZ1 | stats or whatever </CODE></PRE> Wed, 19 Apr 2017 20:19:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332781#M61564 lguinn2 2017-04-19T20:19:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332782#M61565 <P>As translatefix is configured in commands.conf and I'm using it as command. Can I configure it in configuration file so that it will be automatically applied instead of writing it inline. </P> Thu, 20 Apr 2017 15:50:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-automatically-extract-key-value-pairs-after-using/m-p/332782#M61565 isha_rastogi 2017-04-20T15:50:19Z