Re: How to easily parse syslog data into multi val...

Unister · ‎02-17-2014

I'd like to parse some data provided by syslog. The format is:

date host service: key1=value1 key2=value2 key3=value3 key3=value4

Most fields are parsed correctly, apart from key3 which I want to be a multi value field. Splunk (5 and 6) parses this as key3=value3 and not key3=(value3 value4).

I can change the input data format after the colon, but I think I saw some log line that created a multi value field where the input log had two keys with the same name. I cannot identify these lines with their own source/sourcetype, so I'd like to use something that works with sourcetype=syslog.

alacercogitatus · ‎02-17-2014

So: in the search app ($SPLUNK_HOME/etc/apps/search/local), edit props.conf and transforms.conf.

props.conf
[syslog]
REPORT-mvadd = add_mv


transforms.conf
[add_mv]
MV_ADD = true

This should tell the search extractor to do multiple values for each key if it exists.

Unister · ‎02-17-2014

I tried it with a new app or with etc/apps/search/local but it isn't working. I tried finding the position where the log line is split at = but I cannot find it. There are multiple transforms but none is used for syslog...

How to easily parse syslog data into multi value field

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >

How to easily parse syslog data into multi value field

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.Find out what your skills are worth! Read the report >

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >