Break event and extract fields from script input

kpavan · ‎05-02-2018

Hi All,

Am getting custom scripted input from one of our app server, but wanted to know understand how to break these events and extract fields for below sample output. Could you please help me to solve this.

Suffix DN : Server : Entries : Replication enabled : DS ID : RS ID : RS Port (1) : M.C. (2) : A.O.M.C. (3) : Security (4)
dc=domain,dc=com : server1.domain.com:PORT : 156827 : true : 23636 : 11208 : 8989 : 0 : : true
dc=domain,dc=com : server2.domain.com:PORT : 156827 : true : 14162 : 7315 : 8989 : 0 : : true
Suffix DN : Server : Entries : Replication enabled : DS ID : RS ID : RS Port (1) : M.C. (2) : A.O.M.C. (3) : Security (4)
dc=domain,dc=com : server1.domain.com:PORT : 156827 : true : 23636 : 11208 : 8989 : 0 : : true
dc=domain,dc=com : server2.domain.com:PORT : 156827 : true : 14162 : 7315 : 8989 : 0 : : true
Suffix DN : Server : Entries : Replication enabled : DS ID : RS ID : RS Port (1) : M.C. (2) : A.O.M.C. (3) : Security (4)
dc=domain,dc=com : server1.domain.com:PORT : 156827 : true : 23636 : 11208 : 8989 : 0 : : true
dc=domain,dc=com : server2.domain.com:PORT : 156827 : true : 14162 : 7315 : 8989 : 0 : : true

Thanks!
Pavan

xpac · ‎05-02-2018

Hey, check these answers, they should be adaptable to your problem:

https://answers.splunk.com/answers/170826/set-delimiter.html

https://answers.splunk.com/answers/627420/how-do-i-load-the-custom-delimited-file-with-heade.html

Break event and extract fields from script input

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase

How to Send Splunk Observability Alerts to Webex teams in Minutes

Are you a member of the Splunk Community?

Break event and extract fields from script input

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase

How to Send Splunk Observability Alerts to Webex teams in Minutes