https://community.splunk.com/t5/Splunk-Search/Inconsistent-number-of-spaces-in-a-space-delimited-event/m-p/57621#M14054 <P>Oh hai.</P> <P>So I have some logs from a web cache. Here's an example (note the spaces between 'TimeStamp' &amp; 'Operation' in the header):</P> <PRE>TimeStamp Operation Priority URL 1281654000.385657 refreshed 0.7850 <A href="http://xxx.xxx.xxx/drm4/OnlineMovies/DWS/28/836/summersam_270x390.jpg.http" target="test_blank">http://xxx.xxx.xxx/drm4/OnlineMovies/DWS/28/836/summersam_270x390.jpg.http</A> #Number of transaction records: 1</PRE> <P>My <STRONG>props.conf</STRONG> for this sourcetype is:<BR /></P> <P><CODE>[cache_content]</CODE><BR /> <CODE>pulldown_type=true</CODE><BR /> <CODE>KV_MODE=none</CODE><BR /> <CODE>SHOULD_LINEMERGE=false</CODE><BR /> <CODE>TZ=Australia/Melbourne</CODE><BR /> <CODE>TRANSFORMS-toNull=cache_content_header,cache_content_comment</CODE><BR /> <CODE>REPORT-cacheContentFields=cache_content_fields</CODE><BR /></P> <P>My <STRONG>transforms.conf</STRONG> is as follows:<BR /></P> <P><CODE>[cache_content_header]</CODE><BR /> <CODE>REGEX = ^T</CODE><BR /> <CODE>DEST_KEY = queue</CODE><BR /> <CODE>FORMAT = nullQueue</CODE><BR /></P> <P><CODE>[cache_content_comment]</CODE><BR /> <CODE>REGEX = ^#</CODE><BR /> <CODE>DEST_KEY = queue</CODE><BR /> <CODE>FORMAT = nullQueue</CODE><BR /></P> <P><CODE>[cache_content_fields]</CODE><BR /> <CODE>DELIMS = " "</CODE><BR /> <CODE>FIELDS = "TimeStamp", "Operation", "Priority", "URL"</CODE> </P><HR /> Given this example, the fields are extracted as follows (visible in the field picker):<P></P> <P><CODE>TimeStamp</CODE> = <CODE>1281654000.385657</CODE> (yep that's fine)<BR /> <CODE>Operation</CODE>... Doesn't show up in list of available fields (default behavior with zero value?)<BR /> <CODE>Priority</CODE> = <CODE>refreshed</CODE><BR /> <CODE>URL</CODE> = <CODE>0.7850</CODE><BR /></P> <P>I've checked for special characters (eg. tabs) in vi and there are none, so it looks as though the number of spaces is the issue, with nothing being allocated to the <CODE>Operation</CODE> field, and this throwing the subsequent extractions out.</P> <P>The transforms.conf doco doesn't cover off the use of REGEX's in the DELIM statement, so I'm wondering what I can do here.</P> <P>As always, any help would be greatly appreciated <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 11 Mar 2011 11:26:51 GMT rturk 2011-03-11T11:26:51Z https://community.splunk.com/t5/Splunk-Search/Inconsistent-number-of-spaces-in-a-space-delimited-event/m-p/57621#M14054 <P>Oh hai.</P> <P>So I have some logs from a web cache. Here's an example (note the spaces between 'TimeStamp' &amp; 'Operation' in the header):</P> <PRE>TimeStamp Operation Priority URL 1281654000.385657 refreshed 0.7850 <A href="http://xxx.xxx.xxx/drm4/OnlineMovies/DWS/28/836/summersam_270x390.jpg.http" target="test_blank">http://xxx.xxx.xxx/drm4/OnlineMovies/DWS/28/836/summersam_270x390.jpg.http</A> #Number of transaction records: 1</PRE> <P>My <STRONG>props.conf</STRONG> for this sourcetype is:<BR /></P> <P><CODE>[cache_content]</CODE><BR /> <CODE>pulldown_type=true</CODE><BR /> <CODE>KV_MODE=none</CODE><BR /> <CODE>SHOULD_LINEMERGE=false</CODE><BR /> <CODE>TZ=Australia/Melbourne</CODE><BR /> <CODE>TRANSFORMS-toNull=cache_content_header,cache_content_comment</CODE><BR /> <CODE>REPORT-cacheContentFields=cache_content_fields</CODE><BR /></P> <P>My <STRONG>transforms.conf</STRONG> is as follows:<BR /></P> <P><CODE>[cache_content_header]</CODE><BR /> <CODE>REGEX = ^T</CODE><BR /> <CODE>DEST_KEY = queue</CODE><BR /> <CODE>FORMAT = nullQueue</CODE><BR /></P> <P><CODE>[cache_content_comment]</CODE><BR /> <CODE>REGEX = ^#</CODE><BR /> <CODE>DEST_KEY = queue</CODE><BR /> <CODE>FORMAT = nullQueue</CODE><BR /></P> <P><CODE>[cache_content_fields]</CODE><BR /> <CODE>DELIMS = " "</CODE><BR /> <CODE>FIELDS = "TimeStamp", "Operation", "Priority", "URL"</CODE> </P><HR /> Given this example, the fields are extracted as follows (visible in the field picker):<P></P> <P><CODE>TimeStamp</CODE> = <CODE>1281654000.385657</CODE> (yep that's fine)<BR /> <CODE>Operation</CODE>... Doesn't show up in list of available fields (default behavior with zero value?)<BR /> <CODE>Priority</CODE> = <CODE>refreshed</CODE><BR /> <CODE>URL</CODE> = <CODE>0.7850</CODE><BR /></P> <P>I've checked for special characters (eg. tabs) in vi and there are none, so it looks as though the number of spaces is the issue, with nothing being allocated to the <CODE>Operation</CODE> field, and this throwing the subsequent extractions out.</P> <P>The transforms.conf doco doesn't cover off the use of REGEX's in the DELIM statement, so I'm wondering what I can do here.</P> <P>As always, any help would be greatly appreciated <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 11 Mar 2011 11:26:51 GMT https://community.splunk.com/t5/Splunk-Search/Inconsistent-number-of-spaces-in-a-space-delimited-event/m-p/57621#M14054 rturk 2011-03-11T11:26:51Z https://community.splunk.com/t5/Splunk-Search/Inconsistent-number-of-spaces-in-a-space-delimited-event/m-p/57622#M14055 <P>Hello.</P> <P>I think it doesn't work because there are multi spaces between "TimeStamp" and "Operation".<BR /></P> <P>So, try this one.</P> <P>In props.conf:</P> <PRE> [cache_content_fields] REGEX = ^([^\s]+)\s+([^\s]+)\s([^\s]+)\s(.*)$ FORMAT = TimeStamp::"$1" Operation::"$2" Priority::"$3" URL::"$4" </PRE> Fri, 11 Mar 2011 12:37:10 GMT https://community.splunk.com/t5/Splunk-Search/Inconsistent-number-of-spaces-in-a-space-delimited-event/m-p/57622#M14055 Hajime 2011-03-11T12:37:10Z https://community.splunk.com/t5/Splunk-Search/Inconsistent-number-of-spaces-in-a-space-delimited-event/m-p/57623#M14056 <P>Your REGEX-fu is stronger than my REGEX-fu! Thanks so much <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 11 Mar 2011 13:46:13 GMT https://community.splunk.com/t5/Splunk-Search/Inconsistent-number-of-spaces-in-a-space-delimited-event/m-p/57623#M14056 rturk 2011-03-11T13:46:13Z