https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118172#M31526 <P>I'd post them, but I would have to pull them from a lab environment - which I don't always have access to.</P> <P>They are also to numerous and unique to give you guys anything meaningful by posting them.</P> <P>I noticed that since the events are coming in CEF, all the field values that are pipe | delimited are extracted just fine, even if there is a space (such as |Delete Attibute| or |Microsoft Windows|).</P> <P>Once the pipe delimitation ends, it seems to perform 'space delimitation' on the rest of the message - fields such as cs1, cs2,cs3, cs1label, msg, etc.</P> Fri, 04 Apr 2014 15:24:45 GMT jravida 2014-04-04T15:24:45Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118167#M31521 <P>Hey folks,</P> <P>So I have some logs coming in CEF format. Splunk is doing it's automatic field extraction, but when I look at the msg field, it only contains the first word of the message field.</P> <P>So it looks like this:</P> <P>msg=The</P> <P>instead of </P> <P>msg=The user was granted magical powers for 15 minutes.</P> <P>It just kicks out the rest of the message. It can't be found within any other fields.<BR /> I've only set this up to ingest syslog data being put on my local server, and defined the index/sourcetype. Nothing fancy, yet.</P> <P>Any help would be greatly appreciated!</P> Wed, 02 Apr 2014 22:00:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118167#M31521 jravida 2014-04-02T22:00:42Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118168#M31522 <P>It looks like you'll be forced to create a field extraction by yourself. This will likely require some regex skills. You should post some sample events so that others can help you.</P> Thu, 03 Apr 2014 09:07:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118168#M31522 kristian_kolb 2014-04-03T09:07:40Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118169#M31523 <P>Also, if you have control over the log file format, you may want to enclose string fields with multiple words within double quotes.</P> Thu, 03 Apr 2014 14:21:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118169#M31523 somesoni2 2014-04-03T14:21:34Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118170#M31524 <P>Hey folks, thanks for the help so far.</P> <P>On further inspection of the events, it appears that all fields in all events (ones I have coming in CEF format from a remote ArcSight connector, and being placed in a file via syslog on the splunk box) suffer from the same symptom.</P> <P>Regardless of the log source or key field, if the variable has a space then the next words are ignored. Only the first word gets extracted.</P> <P>I'm hoping there is a higher level than building regexes to process this, as that wouldn't be very scalable and it would be incredibly time consuming.</P> Thu, 03 Apr 2014 19:56:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118170#M31524 jravida 2014-04-03T19:56:14Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118171#M31525 <P>Yeah, post a sample. Depending on what comes after each field, there may be other field extraction options. Just click <CODE>Edit</CODE> under your question to post additional content.</P> Fri, 04 Apr 2014 14:26:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118171#M31525 Lowell 2014-04-04T14:26:28Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118172#M31526 <P>I'd post them, but I would have to pull them from a lab environment - which I don't always have access to.</P> <P>They are also to numerous and unique to give you guys anything meaningful by posting them.</P> <P>I noticed that since the events are coming in CEF, all the field values that are pipe | delimited are extracted just fine, even if there is a space (such as |Delete Attibute| or |Microsoft Windows|).</P> <P>Once the pipe delimitation ends, it seems to perform 'space delimitation' on the rest of the message - fields such as cs1, cs2,cs3, cs1label, msg, etc.</P> Fri, 04 Apr 2014 15:24:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118172#M31526 jravida 2014-04-04T15:24:45Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118173#M31527 <P>Have you looked at the <EM>CEF (Common Event Format) Extraction Utilities</EM> app? <A href="http://apps.splunk.com/app/487/">http://apps.splunk.com/app/487/</A></P> Fri, 04 Apr 2014 15:32:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118173#M31527 Lowell 2014-04-04T15:32:27Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118174#M31528 <P>This is EXACTLY what I'm looking for! Splunk community to the rescue. Thanks Lowell!</P> Fri, 04 Apr 2014 15:38:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118174#M31528 jravida 2014-04-04T15:38:42Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118175#M31529 <P>I converted my comment to an answer. If it does in fact resolve your issue, click on the check mark icon.</P> Fri, 04 Apr 2014 16:21:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-variable-length-message-field/m-p/118175#M31529 Lowell 2014-04-04T16:21:41Z