https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-transforms-conf-to-properly-extract-these/m-p/284358#M85977 <P>Hi All.</P> <P>I want to extract fields from the following log data.</P> <PRE><CODE>headerName=Host, Connection, Accept, headerValue=splunk.com, keep-alive, text/html </CODE></PRE> <P>I want to extract fields like this.</P> <PRE><CODE>Host=splunk.com Connection=keep-alive Accept=text/html </CODE></PRE> <P>So I set following in props and transforms</P> <P>props.conf</P> <PRE><CODE>[MY_SYSLOG] REPORT-a = SAMPLE_1,SAMPLE_2,SAMPLE_3 </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[SAMPLE_1] CLEAN_KEYS = 0 FORMAT = $1::$4 REGEX = headerName=(\w+),\s(\w+),\s(\w+),\sheaderValue=(.*?),\s(.*?),\s(.*) [SAMPLE_2] CLEAN_KEYS = 0 FORMAT = $2::$5 REGEX = headerName=(\w+),\s(\w+),\s(\w+),\sheaderValue=(.*?),\s(.*?),\s(.*) [SAMPLE_3] CLEAN_KEYS = 0 FORMAT = $3::$6 REGEX = headerName=(\w+),\s(\w+),\s(\w+),\sheaderValue=(.*?),\s(.*?),\s(.*) </CODE></PRE> <P>This setting extracted fields for part log message, but didn't extract fields for the following log message.</P> <PRE><CODE>headerName=Host, Connection, Accept, Referer, headerValue=splunk.com, keep-alive, text/html, <A href="http://google.com" target="test_blank">http://google.com</A> </CODE></PRE> <P>Is there good solution?</P> <P>Thank you for your help.</P> Thu, 18 Feb 2016 04:59:56 GMT akanno 2016-02-18T04:59:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-transforms-conf-to-properly-extract-these/m-p/284358#M85977 <P>Hi All.</P> <P>I want to extract fields from the following log data.</P> <PRE><CODE>headerName=Host, Connection, Accept, headerValue=splunk.com, keep-alive, text/html </CODE></PRE> <P>I want to extract fields like this.</P> <PRE><CODE>Host=splunk.com Connection=keep-alive Accept=text/html </CODE></PRE> <P>So I set following in props and transforms</P> <P>props.conf</P> <PRE><CODE>[MY_SYSLOG] REPORT-a = SAMPLE_1,SAMPLE_2,SAMPLE_3 </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[SAMPLE_1] CLEAN_KEYS = 0 FORMAT = $1::$4 REGEX = headerName=(\w+),\s(\w+),\s(\w+),\sheaderValue=(.*?),\s(.*?),\s(.*) [SAMPLE_2] CLEAN_KEYS = 0 FORMAT = $2::$5 REGEX = headerName=(\w+),\s(\w+),\s(\w+),\sheaderValue=(.*?),\s(.*?),\s(.*) [SAMPLE_3] CLEAN_KEYS = 0 FORMAT = $3::$6 REGEX = headerName=(\w+),\s(\w+),\s(\w+),\sheaderValue=(.*?),\s(.*?),\s(.*) </CODE></PRE> <P>This setting extracted fields for part log message, but didn't extract fields for the following log message.</P> <PRE><CODE>headerName=Host, Connection, Accept, Referer, headerValue=splunk.com, keep-alive, text/html, <A href="http://google.com" target="test_blank">http://google.com</A> </CODE></PRE> <P>Is there good solution?</P> <P>Thank you for your help.</P> Thu, 18 Feb 2016 04:59:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-transforms-conf-to-properly-extract-these/m-p/284358#M85977 akanno 2016-02-18T04:59:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-transforms-conf-to-properly-extract-these/m-p/284359#M85978 <P>In the example that didn't work, do you want to extract Referer too? Or do you only care about host, connection and accept? Are the values always in the same order after the headerValue= part of the event? Not sure if just hardcoding fieldname is an option or makes sense.</P> <P>In general though, there are probably a few ways to make this work for you. It's just a regex thing. For example, something like this might work in props.conf</P> <PRE><CODE>[MY_SYSLOG] EXTRACT-myfields = headerName=Host,\s+?Connection,\s+?Accept,.+headerValue=(?&lt;host&gt;[^,]+),\s+?(?&lt;connection&gt;[^,]+),\s+?(?&lt;Accept&gt;[^,]+) </CODE></PRE> Sun, 06 Mar 2016 17:30:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-transforms-conf-to-properly-extract-these/m-p/284359#M85978 maciep 2016-03-06T17:30:21Z