I am injecting below logs into splunk using file input.
cs2Label=Original Category Outcome cs3Label=Original Device Product cs4Label=Internal Host cs5Label=Malicious IP Address
After parsing into splunk I can see below output
So from the output it is clear that it is ignoring string after first space . So I tried my own regex and place it in
[abc] REGEX = (([\w.:\[\]]+)=(.*?(?=(?:\s[\w.:\[\]]+=|$))))
[cef] TRANSFORMS-blah = abc
Still I can see string is missing in all the fields . Please suggest how I can achieve it using props and transform conf.
What is the event from? Have you tried using a TA that already has the extractions for the device? Splunk TA Cisco for example if it's a Cisco device? That's the easiest method.
Actually it was just for the learning purpose .I prepare a sample log and feed it to Splunk using file input.My idea was not to use TA and want to extract fields using these 2 confs . May be this TA use props and transform for extraction and I can get some help from that .