Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Help in parsing Avamar Logs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ansif
Motivator
09-24-2019
01:30 AM
Hi All,
Please help me to parse this event into key value pair:
Timestamp Hostname and Field name in angle bracket and values
Jul 8 22:02:05 RXXXXXXX001 MCS:BS: <Code> 30900 <Type> WARNING <Severity> PROCESS <Category> APPLICATION <User> root <HwSource> RXXXXXXX001 <Summary> Activity failed
- timed out before completion. <Group> SQL_Transaction_Logs_4_Hours <Action> Scheduled Backup <status_code> 30900 <starttime> 2019-07-08 23:00:00 <targetCid> 8exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9 8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9 <account_name> rxxxxxxxxxxx.xx.xxxxxxx.com <client> /clients/rxxxxxxxxxxx.xx.xxxxxxx.com <bytes_modified_sent> 0 <client_name> rxxxxxxxxxxx.xx.xxxxxxx.com <errorcode> 10019 <CID> 8exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9 <hard_limit> 0 <retention_policy> 14_Days <bytes_protected> 0 <endtime> 2019-07-09 0 3:02:05 <PID> SQL <plugin_name> Windows SQL <snapup_number> <snapup_label> <schedule> Transaction log 4 HR <bytes_scanned> 1 <WID> Transaction log 4 HR-SQL_Transactio n_Logs_4_Hours-1562626800005 <domain> /clients <dataset> /Transactional_Log _4_Hours <account> /clients/rxxxxxxxxxxx.xx.xxxxxxx.com
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
09-24-2019
02:13 AM
Assuming field values do not contain <> characters, this should be fairly straightforward using props and transforms like so:
props.conf (make sure to set the sourcetype to what you actually use)
[avamar:syslog]
REPORT-key_value_extract = avamar_key_value_extract
transforms.conf
[avamar_key_value_extract]
REGEX = \<([^>]+)\>\s+([^<]*?)\s*(?=\<|$)
FORMAT = $1::$2
https://regex101.com/r/76VHjG/1
You may want to tune the regex a bit, but it is a bit tricky to get a really simple and fast one, that still strips out the spaces around the field values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
09-24-2019
02:13 AM
Assuming field values do not contain <> characters, this should be fairly straightforward using props and transforms like so:
props.conf (make sure to set the sourcetype to what you actually use)
[avamar:syslog]
REPORT-key_value_extract = avamar_key_value_extract
transforms.conf
[avamar_key_value_extract]
REGEX = \<([^>]+)\>\s+([^<]*?)\s*(?=\<|$)
FORMAT = $1::$2
https://regex101.com/r/76VHjG/1
You may want to tune the regex a bit, but it is a bit tricky to get a really simple and fast one, that still strips out the spaces around the field values.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
