How to extract the fields for kv pair syslog data?

knalla — Mon, 27 Aug 2018 15:13:32 GMT

Hi All,

How to extract the fields for the syslog data with kv values at indexing time?

Aug 27 10:05:58 ciscoasa SFIMS: Protocol: TCP, SrcIP: 1.2.3.1, OriginalClientIP: ::, DstIP: 11.22.33.44, SrcPort: 50981, DstPort: 443, TCPFlags: 0x0, IngressZone: N_inside, EgressZone: N_outside, DE: Primary Detection Engine (ccc24074-6d7e-11e7-9213-b429232f86cc), Policy:allowed_new, ConnectType: Start, AccessControlRuleName: Allow port 80 443, AccessControlRuleAction: Allow, Prefilter Policy: WE_Prefilter, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Windows, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 436, ResponderBytes: 66, Policy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Business and Economy, URLReputation: Well known, URL: splunk.com

Re: How to extract the fields for kv pair syslog data?

horsefez — Mon, 27 Aug 2018 15:25:20 GMT

Hi @knalla,

this regular expression should work

^(?:[^\s]+\s*:){5}|([^:]+):\s*([^,]+)[,$]*
https://regex101.com/r/0lWcR3/1

props.conf

[yoursourcetype]
TRANSFORMS-yourfirstextraction = extractexample



transforms.conf

[extractexample]
REGEX=^(?:[^\s]+\s*:){5}|([^:]+):\s*([^,]+)[,$]*
FORMAT = $1::$2
MV_ADD = true

topic Re: How to extract the fields for kv pair syslog data? in Splunk Search

How to extract the fields for kv pair syslog data?

Re: How to extract the fields for kv pair syslog data?