Re: How to easily parse syslog data into multi val...

Unister · ‎02-17-2014

I'd like to parse some data provided by syslog. The format is:

date host service: key1=value1 key2=value2 key3=value3 key3=value4

Most fields are parsed correctly, apart from key3 which I want to be a multi value field. Splunk (5 and 6) parses this as key3=value3 and not key3=(value3 value4).

I can change the input data format after the colon, but I think I saw some log line that created a multi value field where the input log had two keys with the same name. I cannot identify these lines with their own source/sourcetype, so I'd like to use something that works with sourcetype=syslog.

alacercogitatus · ‎02-17-2014

So: in the search app ($SPLUNK_HOME/etc/apps/search/local), edit props.conf and transforms.conf.

props.conf
[syslog]
REPORT-mvadd = add_mv


transforms.conf
[add_mv]
MV_ADD = true

This should tell the search extractor to do multiple values for each key if it exists.

Unister · ‎02-17-2014

I tried it with a new app or with etc/apps/search/local but it isn't working. I tried finding the position where the log line is split at = but I cannot find it. There are multiple transforms but none is used for syslog...

How to easily parse syslog data into multi value field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation