topic Regex match that assign headers to line in Getting Data In

Regex match that assign headers to line

nikorc — Wed, 12 Aug 2020 12:47:46 GMT

I have a log file that has 3 different types of headers. There is a unique id field per line notifying me of what the headers should be. Is there a way to have splunk regex match the line with the unique id then assign headers to that line. There will be 3 different regexs matches with unique headers.

Re: Regex match that assign headers to line

isoutamo — Wed, 12 Aug 2020 14:59:56 GMT

can you share those examples to community, so we could better help you.
r. Ismo

Re: Regex match that assign headers to line

nikorc — Fri, 14 Aug 2020 18:01:38 GMT

here is a sample of some data. 3rd comma-delimited field is the unique type identifier. The 1st 6 fields all have a common header. Then the headers for the fields after these 6 will be different based on the 3rd field value.

Computer01,06/18/2019 18:15:09.000000,2,111,222,333,Below Adaptive,orange,Below Adaptive,orange,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,1.1000000000,2.1000000000,3.1000000000,4.1000000000 Computer01,06/18/2019 18:15:19.000000,2,111,222,333,Adaptive,black,Normal,black,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,12.1000000000,23.1000000000,34.1000000000,45.1000000000 Computer01,06/18/2019 18:15:14.000000,4,111,222,333,5,12.3450000000,67.8900000000,87.6500000000,987.6540000000,128,FREQ CHANGE,0,DEBUG STRING AND DATA,0x00000020,1.2.3.4:1301,112233 Computer01,06/18/2019 18:15:15.000000,4,111,222,333,6,12.3450000000,67.8900000000,87.6500000000,987.6540000000,128,NO ERROR,0,DEBUG STRING AND DATA,0x00000040,1.2.3.4:1301,112233 Computer01,06/18/2019 18:15:17.000000,3,111,222,333,444,555,666,777,888,999,Timeout,131.8,DEBUG STRING AND DATA,0x00000100,1.2.3.3:1301,4.5.6.6:1304,7.8.9.9:1307 Computer01,06/18/2019 18:15:18.000000,3,111,222,333,444,555,666,777,888,999,Unspecified Error,132.9,DEBUG STRING AND DATA,0x00000200,1.2.3.3:1301,4.5.6.6:1304,7.8.9.9:1307

Re: Regex match that assign headers to line

thambisetty — Fri, 14 Aug 2020 19:11:57 GMT

Since the event is changed based on id field, you should write regex for each id.

I can help you with regex if you can share event for each id with field header.

Re: Regex match that assign headers to line

nikorc — Fri, 14 Aug 2020 19:24:13 GMT

If you could give me an example using one of the types I should be able to get the rest done. I made some generic headers for the data.

HOSTNAME,DATE_TIME,TYPE,ID1,ID2,ID3,X_TRESHOLD,X_COLOR,Y_THRESHOLD,Y_COLOR,DEBUG_INFO,MEM_ADD,IP_PORT,DEBUG1,DEBUG2,DEBUG3,DEBUG4
Computer01,06/18/2019 18:15:09.000000,2,111,222,333,Below Adaptive,orange,Below Adaptive,orange,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,1.1000000000,2.1000000000,3.1000000000,4.1000000000