<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: inputs.conf configuration for key value pair in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411595#M72873</link>
    <description>&lt;P&gt;As an alternative - the answer from @richgalloway creates index-time extractions - this would be a working config for search-time extractions:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;props.conf&lt;/CODE&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[yoursourcetype]
REPORT-multifields = yoursourcetype-multifields
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;CODE&gt;transforms.conf&lt;/CODE&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[yoursourcetype-multifields]
REGEX = \s*([^:]+):(.*)[\r\n]
FORMAT = $1::$2
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I shamelessly copied the regex from @somesoni2's comment &lt;span class="lia-unicode-emoji" title=":winking_face:"&gt;😉&lt;/span&gt;&lt;/P&gt;

&lt;P&gt;Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;</description>
    <pubDate>Fri, 18 May 2018 07:46:37 GMT</pubDate>
    <dc:creator>xpac</dc:creator>
    <dc:date>2018-05-18T07:46:37Z</dc:date>
    <item>
      <title>inputs.conf configuration for key value pair</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411589#M72867</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;I have the below data that I will be importing into splunk.  Id like to be able to delimit based on the &lt;STRONG&gt;FIRST&lt;/STRONG&gt; (and ONLY the first) colon in the line.  How would I go about doing this?&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Name: HD Front Driveway
    IP: 0.0.0.0
    ID: 11
    Mac: D4:21:22:C9:B4:62
    FW Ver: 3.0.02.51
    Manufacturer: iControl
    Model: iCamera2-C
    Video Size: LARGE
    Verified: true
    RSSI:  dB
    Supported Video Formats: [MJPEG, FLV, RTSP]
    Supported Video Codecs: [H264, MPEG4]
    FLV URL:
    MJPEG URL:
    API Version: 3.3
    MotionTurnedOn: true
    MotionSensitivy: 1 (LOW)
    Local Video Aspect Ratio: 16:9
    Local Video Resolution: 1280:720
    Remote Video Aspect Ratio: 16:9
    Remote Video Resolution: 1280:720
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 17 May 2018 19:31:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411589#M72867</guid>
      <dc:creator>dbcase</dc:creator>
      <dc:date>2018-05-17T19:31:33Z</dc:date>
    </item>
    <item>
      <title>Re: inputs.conf configuration for key value pair</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411590#M72868</link>
      <description>&lt;P&gt;What have you tried so far?&lt;/P&gt;</description>
      <pubDate>Thu, 17 May 2018 19:48:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411590#M72868</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2018-05-17T19:48:02Z</dc:date>
    </item>
    <item>
      <title>Re: inputs.conf configuration for key value pair</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411591#M72869</link>
      <description>&lt;P&gt;well that is a fair question.  I've not actually tried anything yet but I did look at KV_MODE=True but it appears that uses "=" as the delimiter and I wasn't sure how to change it.  Then I'm looking at multiple ":" in a single line and thats where it went out of my ballpark.&lt;/P&gt;</description>
      <pubDate>Thu, 17 May 2018 19:50:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411591#M72869</guid>
      <dc:creator>dbcase</dc:creator>
      <dc:date>2018-05-17T19:50:34Z</dc:date>
    </item>
    <item>
      <title>Re: inputs.conf configuration for key value pair</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411592#M72870</link>
      <description>&lt;P&gt;Try these settings.  You'll need more, like &lt;CODE&gt;TIME_PREFIX&lt;/CODE&gt;, etc., but these should handle the parsing.&lt;/P&gt;

&lt;P&gt;props.conf:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[mysourcetype]
TRANSFORM-foo = foo
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;transforms.conf:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[foo]
REGEX = (?&amp;lt;_KEY_&amp;gt;[^:]+):\s*(?&amp;lt;_VAL_&amp;gt;[^\n]+)
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 17 May 2018 20:04:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411592#M72870</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2018-05-17T20:04:59Z</dc:date>
    </item>
    <item>
      <title>Re: inputs.conf configuration for key value pair</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411593#M72871</link>
      <description>&lt;P&gt;@richgalloway, I had something similar but Empty Key displaces the regular expression ie. line 13 and 14 in the question:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; FLV URL:
 MJPEG URL:
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Following is the regex I was using: &lt;A href="https://regex101.com/r/6JmpLF/1"&gt;https://regex101.com/r/6JmpLF/1&lt;/A&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;\s+([^:]+):\s+(.+)
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 17 May 2018 20:18:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411593#M72871</guid>
      <dc:creator>niketn</dc:creator>
      <dc:date>2018-05-17T20:18:05Z</dc:date>
    </item>
    <item>
      <title>Re: inputs.conf configuration for key value pair</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411594#M72872</link>
      <description>&lt;P&gt;This should work (making the values optional)&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;REGEX = \s*(?&amp;lt;_KEY_&amp;gt;[^:]+):(?&amp;lt;_VAL_&amp;gt;.*)[\r\n]
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;A href="https://regex101.com/r/6JmpLF/3"&gt;https://regex101.com/r/6JmpLF/3&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 17 May 2018 20:50:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411594#M72872</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2018-05-17T20:50:42Z</dc:date>
    </item>
    <item>
      <title>Re: inputs.conf configuration for key value pair</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411595#M72873</link>
      <description>&lt;P&gt;As an alternative - the answer from @richgalloway creates index-time extractions - this would be a working config for search-time extractions:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;props.conf&lt;/CODE&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[yoursourcetype]
REPORT-multifields = yoursourcetype-multifields
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;CODE&gt;transforms.conf&lt;/CODE&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[yoursourcetype-multifields]
REGEX = \s*([^:]+):(.*)[\r\n]
FORMAT = $1::$2
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I shamelessly copied the regex from @somesoni2's comment &lt;span class="lia-unicode-emoji" title=":winking_face:"&gt;😉&lt;/span&gt;&lt;/P&gt;

&lt;P&gt;Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 18 May 2018 07:46:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/inputs-conf-configuration-for-key-value-pair/m-p/411595#M72873</guid>
      <dc:creator>xpac</dc:creator>
      <dc:date>2018-05-18T07:46:37Z</dc:date>
    </item>
  </channel>
</rss>

