topic Re: How To Change Fix Field Value in Splunk Search

How To Change Fix Field Value

dbray_sd — Fri, 12 Feb 2016 17:41:59 GMT

We are pulling in mysql_query events from a freeradius server however one of the field values has an or "|" in it, so Splunk is ignoring the correct next value. Here is the log entry:

acctinputoctets = '0'         << 32 |                                        '442929',                       acctoutputoctets =               '0' <<      32        | '7920416'

Splunk is pulling only the '0' for the values. We need it to ignore the: '0' << 32 |

How do we update the field values so that the correct value is indexed?

Re: How To Change Fix Field Value

somesoni2 — Fri, 12 Feb 2016 17:54:12 GMT

How are you ingesting data? using DB Connect OR file monitoring?? Looks like you got some prefix with field value, which you can correct before indexing (for new events only) OR use Field extraction to ignore in the field value.

Re: How To Change Fix Field Value

lguinn2 — Fri, 12 Feb 2016 18:06:46 GMT

Instead of using automatic field extraction, you will probably need to specify the fields. You can do this

props.conf

[yoursourcetype]
REPORT-fe=extract_fields

transforms.conf

[extract_fields]
FORMAT = $1::$2
REGEX = (\w+)\s*\=.*?\|\s*'(.*?)'

You may need to add

KV_MODE = none

to props.conf, but it would be better if you didn't need it.

Re: How To Change Fix Field Value

dbray_sd — Mon, 15 Feb 2016 17:39:49 GMT

We are using the Splunk Universal Forwarder to pull in /var/log/mysql/mysql_query.log