<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Field extraction from simple one-sentense log in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-simple-one-sentense-log/m-p/523681#M88422</link>
    <description>&lt;P&gt;thank you, it helps to parse most logs, but &lt;STRONG&gt;the field category&lt;/STRONG&gt; can contain 2 or 3 values&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="user2020dy_0-1602159492323.png" style="width: 400px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/11206i2DB4AE3CF48B28B0/image-size/medium?v=v2&amp;amp;px=400" role="button" title="user2020dy_0-1602159492323.png" alt="user2020dy_0-1602159492323.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;Can you prompt how to delimeter these values?&lt;/P&gt;</description>
    <pubDate>Thu, 08 Oct 2020 12:20:39 GMT</pubDate>
    <dc:creator>user2020dy</dc:creator>
    <dc:date>2020-10-08T12:20:39Z</dc:date>
    <item>
      <title>Field extraction from simple one-sentense log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-simple-one-sentense-log/m-p/523642#M88418</link>
      <description>&lt;P&gt;Can anybody help me to create &lt;STRONG&gt;props.conf&lt;/STRONG&gt; and &lt;STRONG&gt;transforms.conf&lt;/STRONG&gt; files to correctly parse such logs?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;"2020-10-08 09:35:56","Department1","Department2","113.8.10.134","113.8.10.132","Allowed","1 (A)","NOERROR","ant.com.","Search Engines","Networks","Networks",""&lt;/LI-CODE&gt;&lt;LI-CODE lang="markup"&gt;"2020-10-08 09:35:56","Department1","Department2","113.8.10.134","113.8.10.132","Allowed","1 (A)","NOERROR","ant.com.","Search Engines,Malware","Networks","Networks",""&lt;/LI-CODE&gt;&lt;LI-CODE lang="markup"&gt;"2020-10-08 09:35:56","Department1","Department2","113.8.10.134","113.8.10.132","Allowed","1 (A)","NOERROR","ant.com.","Search Engines,Malware, Network","Networks","Networks",""&lt;/LI-CODE&gt;&lt;LI-CODE lang="markup"&gt;"2020-10-08 09:35:56","Department1","Department2","113.8.10.134","113.8.10.132","Allowed","1 (A)","NOERROR","ant.com.","Malware","Networks","Networks",""&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;As you see, here the log with the category field &lt;EM&gt;"Search Engines,Malware"&lt;/EM&gt; should belong to both categories:&amp;nbsp;Search Engines and&amp;nbsp;Malware. So, the category field can consist of 1, 2, 3 or more values.&lt;/P&gt;</description>
      <pubDate>Thu, 08 Oct 2020 10:21:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-simple-one-sentense-log/m-p/523642#M88418</guid>
      <dc:creator>user2020dy</dc:creator>
      <dc:date>2020-10-08T10:21:44Z</dc:date>
    </item>
    <item>
      <title>Re: Field extraction from simple one-sentense log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-simple-one-sentense-log/m-p/523645#M88420</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225007"&gt;@user2020dy&lt;/a&gt;&amp;nbsp;try like below-&lt;BR /&gt;props.conf -&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[sourcetype_name]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
category = Custom
TIME_PREFIX = ^\"
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_FORMAT = %Y-%m-%d %H:%M:%S
REPORT-main = parse &lt;/LI-CODE&gt;&lt;P&gt;transforms.conf -&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[parse]
DELIMS = ","
FIELDS = Time,field1,field2,field3,field4,field5,field6,field7,field8,field9,field10,field11,field12,field13&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Let me know if it helps! and upvote will be appreciated&lt;/P&gt;</description>
      <pubDate>Thu, 08 Oct 2020 10:31:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-simple-one-sentense-log/m-p/523645#M88420</guid>
      <dc:creator>493669</dc:creator>
      <dc:date>2020-10-08T10:31:20Z</dc:date>
    </item>
    <item>
      <title>Re: Field extraction from simple one-sentense log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-simple-one-sentense-log/m-p/523681#M88422</link>
      <description>&lt;P&gt;thank you, it helps to parse most logs, but &lt;STRONG&gt;the field category&lt;/STRONG&gt; can contain 2 or 3 values&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="user2020dy_0-1602159492323.png" style="width: 400px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/11206i2DB4AE3CF48B28B0/image-size/medium?v=v2&amp;amp;px=400" role="button" title="user2020dy_0-1602159492323.png" alt="user2020dy_0-1602159492323.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;Can you prompt how to delimeter these values?&lt;/P&gt;</description>
      <pubDate>Thu, 08 Oct 2020 12:20:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-simple-one-sentense-log/m-p/523681#M88422</guid>
      <dc:creator>user2020dy</dc:creator>
      <dc:date>2020-10-08T12:20:39Z</dc:date>
    </item>
    <item>
      <title>Re: Field extraction from simple one-sentense log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-simple-one-sentense-log/m-p/523710#M88425</link>
      <description>&lt;P&gt;you can use &lt;FONT face="arial black,avant garde" color="#FF0000"&gt;rex&lt;/FONT&gt; command to separate values within category.&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 08 Oct 2020 14:21:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Field-extraction-from-simple-one-sentense-log/m-p/523710#M88425</guid>
      <dc:creator>493669</dc:creator>
      <dc:date>2020-10-08T14:21:59Z</dc:date>
    </item>
  </channel>
</rss>

