topic Re: How to extract these fields? in Splunk Search

How to extract these fields?

HeinzWaescher — Wed, 29 Jan 2020 09:19:40 GMT

Hi,

let's say we have events with _raw data like this:

<XY>aaa,bbbb,priority,high<XY>aaa,bbb,login,failed<XY>aaa,bbb,user,johndoe<XZ>

The events can include a random amount of this pattern.
Is it possible to create an automatic field extraction to get:

priority = high
login = failed
user = johndoe

So position 3 of the pattern should set the fieldname while position 4 sets the value.

Thankd in advance

nickhills — Wed, 29 Jan 2020 09:50:29 GMT

Hi @HeinzWaescher

You can use props & transforms to do this:

transforms.conf
[fields-values]
FORMAT = $1::$2
REGEX = >\w+\,\w+\,(\w+)\,(\w+)

props.conf
[yourSourcetype]
REPORT-fields-values = fields-values

Let me know how you get on.

HeinzWaescher — Wed, 29 Jan 2020 10:09:43 GMT

Awesome! Thanks works fine, thanks a lot

nickhills — Wed, 29 Jan 2020 12:36:53 GMT

you are welcome! 🙂