topic Re: Mixed Multivalued Field Extraction in Splunk Search

Mixed Multivalued Field Extraction

brianjbrady — Tue, 08 Oct 2013 23:30:58 GMT

I am having some issues pulling fields out of some particularly strange logging statements, kind of a mix of multivalued and traditional.

For Example:

10/08/2013 23:00:00 INFO:   |   INF|SVC|TASK|1233212123|something happened when ip=128 and stranger=asdf

I need to pull out the following fields:

Field 1: field1=INF

Field 2: field2=SVC

Field 3: field3=TASK

Field 4: field4=1233212123

Field 5: ip=128

Field6: stranger=asdf

Thoughts???

Re: Mixed Multivalued Field Extraction

lukejadamec — Wed, 09 Oct 2013 00:02:30 GMT

Which field contains ip and stranger? If the other fields exist,then the remaining text must be in some other field.
Or, are you saying that none of the fields are extracted and you need to use | as a delimiter with a multi extraction from the last field.

Re: Mixed Multivalued Field Extraction

kristian_kolb — Wed, 09 Oct 2013 09:05:33 GMT

I don't see the multivaluedness here. From your description, it seems like you just want to extract some fields. Some are pipe-delimited, others are key=value.

Assuming that the event format does not change, I would probably use an EXTRACT in props.conf for the pipe-delimited stuff, and let splunk handle the key=value part automatically.

props.conf

[your sourcetype here]
EXTRACT-blah = ^[^\|]+\|\s+(?<field1>[^\|]+)\|(?<field2>[^\|]+)\|(?<field3>[^\|]+)\|(?<field4>[^\|]+)\|

Hope this helps,

Re: Mixed Multivalued Field Extraction

brianjbrady — Wed, 09 Oct 2013 19:03:33 GMT

Worked, Awesome.
Thanks!

Re: Mixed Multivalued Field Extraction

kristian_kolb — Wed, 09 Oct 2013 19:30:51 GMT

you're welcome. 🙂