https://community.splunk.com/t5/Splunk-Search/ncftpd-log-extractions/m-p/59682#M14703 <P>I'm trying to do field extractions for ncftpd xfer logs. These are generally csv but the fields differ depending on what operation is being logged ( <A href="http://ncftpd.com/ncftpd/doc/xferlog.html">http://ncftpd.com/ncftpd/doc/xferlog.html</A> if you want the details.)</P> <P>Is there a clean way to extract the first few generic fields and do the other field extractions depending on the values extracted? Let's call the first field 'operation'. Can I say something like</P> <P>search operation="S" OR operation="R" | do field extractions specific to these<BR /> search operation="T" | do field extractions specific to this</P> Fri, 27 Jan 2012 19:17:53 GMT jspears 2012-01-27T19:17:53Z https://community.splunk.com/t5/Splunk-Search/ncftpd-log-extractions/m-p/59682#M14703 <P>I'm trying to do field extractions for ncftpd xfer logs. These are generally csv but the fields differ depending on what operation is being logged ( <A href="http://ncftpd.com/ncftpd/doc/xferlog.html">http://ncftpd.com/ncftpd/doc/xferlog.html</A> if you want the details.)</P> <P>Is there a clean way to extract the first few generic fields and do the other field extractions depending on the values extracted? Let's call the first field 'operation'. Can I say something like</P> <P>search operation="S" OR operation="R" | do field extractions specific to these<BR /> search operation="T" | do field extractions specific to this</P> Fri, 27 Jan 2012 19:17:53 GMT https://community.splunk.com/t5/Splunk-Search/ncftpd-log-extractions/m-p/59682#M14703 jspears 2012-01-27T19:17:53Z https://community.splunk.com/t5/Splunk-Search/ncftpd-log-extractions/m-p/59683#M14704 <P>You can't automate a conditional delimiter-based field extraction, but you can define one unique field extraction per type of xferlog event and select which one to apply using the <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Extract" target="_blank">extract</A> command.</P> <P>First, define an automatic field extraction for the "operation" field, the value of which should determine which delimiter-based extraction we will apply.</P> <UL> <LI>props.conf:</LI> </UL> <P><CODE>[xferlog]<BR /> EXTRACT-operation = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}[^|]*\|\s+(?<OPERATION>\w),</OPERATION></CODE></P> <P>Now in <A href="http://www.splunk.com/base/Documentation/latest/Admin/Transformsconf" target="_blank">transforms.conf</A>, define one delimiter-based field extraction for each type of event. As an example, based on the xferlog reference page here's one definition for the S and R log entry types and one for the T (directory listing) log entry type.</P> <UL> <LI>transforms.conf:</LI> </UL> <P><CODE>[fields_store_retrieve]<BR /> DELIMS = ","<BR /> FIELDS = "Head","Pathname","Size","Duration","Rate","User","Email","Host","Suffix","Completion","Transfer_Type","Transfer_notes","Start_of_transfer","Session_ID","Starting_size","Starting_offset"</CODE></P> <P><CODE>[fields_dirlist]<BR /> DELIMS = ","<BR /> FIELDS = "Head","Pathname","Completion","Pattern","Recursion","User","Email","Host","Session ID"</CODE></P> <P>Now when you search, apply the appropriate field extraction depending on the value of the "operation" field of the events you are querying :</P> <PRE><CODE>sourcetype=xferlog operation=R OR operation=S | extract fields_store_retrieve </CODE></PRE> <P><STRONG>or</STRONG>:</P> <PRE><CODE>sourcetype=xferlog operation=T | extract fields_dirlist </CODE></PRE> <P>It's too bad that one cannot define automatic field extractions based on <A href="http://docs.splunk.com/Splexicon:Eventtype" target="_blank">event types</A> because this would have been an ideal use-case for that.</P> Mon, 28 Sep 2020 10:22:21 GMT https://community.splunk.com/t5/Splunk-Search/ncftpd-log-extractions/m-p/59683#M14704 hexx 2020-09-28T10:22:21Z