Simple event parsing question

ehs — Wed, 11 Jan 2012 16:33:44 GMT

My log file has tabular (several columns) data that I need to parse. Each element in a row is separated by spaces, and the columns line up:

Event 1:   01-11 22:22    Some_Data    2   ABC
Event 2:   01-11 20:22    Other_Data   0   XYZABC

How can I "tag" each column so that I can search and filter by it. For instance, if I'd like to call the second column TITLE, I then would like to be able to filter for all events where the TITLE="Some_Data"..which should then return Event 1.

Re: Simple event parsing question

Damien_Dallimor — Wed, 11 Jan 2012 21:37:45 GMT

Assuming that the data is indexed without the "Event 1:" etc.. prefix :

01-11 22:22    Some_Data    2   ABC
01-11 20:22    Other_Data   0   XYZABC

Then in props.conf you could define a search time extraction like :

[my_sourcetype]
EXTRACT-extract_my_fields = (?<datetime>\d{2}-\d{2}\s\d{2}:\d{2})\s+(?<title>\w+)\s+(?<col3>\w+)\s+(?<col4>\w+)

Note : I've made a few assumptions about the pattern of the column values, hence it's a rather generic regex, but you can tweak it as needed. Also, I didn't know what to name col3 and col4, so put your own keys in.

topic Simple event parsing question in Splunk Search

Simple event parsing question

Re: Simple event parsing question