topic How to extract values for specific token from pipe delimited log in Getting Data In

How to extract values for specific token from pipe delimited log

att35 — Tue, 20 Jul 2021 12:37:22 GMT

Hi,

I have some application logs in the following format:

Most of the tokens are in Field=Value format and Splunk is able to extract them just fine except the portion where there is no Field listed. Just two different error strings separated by a " - ". (These strings may contain other special characters as part of the error)

Is there a way I can extract both of them separately, e.g. signature_1, signature_2 without disturbing rest of the extractions? I would prefer doing this with props/transforms.

I was thinking of using "DELIMS" option but not sure how to target just that particular part of the log.

Re: How to extract values for specific token from pipe delimited log

venkatasri — Tue, 20 Jul 2021 23:34:29 GMT

Hi @att35

You can try inline rex as below, and props.conf shall be deployed to SearchHead.

#props.conf

---

An upvote would be appreciated and Accept solution if this reply helps!

Re: How to extract values for specific token from pipe delimited log

att35 — Wed, 21 Jul 2021 13:02:16 GMT

@venkatasri

Thank you. Regex was able to extract both parts but I noticed that since there were several - characters within signature_1, it was splitting the string way before the actual - that separates the two. Since both strings are also separated by white spaces, I was able to get around that using following: