How to easily parse syslog data into multi value f...

Unister · ‎02-17-2014

I'd like to parse some data provided by syslog. The format is:

date host service: key1=value1 key2=value2 key3=value3 key3=value4

Most fields are parsed correctly, apart from key3 which I want to be a multi value field. Splunk (5 and 6) parses this as key3=value3 and not key3=(value3 value4).

I can change the input data format after the colon, but I think I saw some log line that created a multi value field where the input log had two keys with the same name. I cannot identify these lines with their own source/sourcetype, so I'd like to use something that works with sourcetype=syslog.

alacercogitatus · ‎02-17-2014

So: in the search app ($SPLUNK_HOME/etc/apps/search/local), edit props.conf and transforms.conf.

props.conf
[syslog]
REPORT-mvadd = add_mv


transforms.conf
[add_mv]
MV_ADD = true

This should tell the search extractor to do multiple values for each key if it exists.

Unister · ‎02-17-2014

I tried it with a new app or with etc/apps/search/local but it isn't working. I tried finding the position where the log line is split at = but I cannot find it. There are multiple transforms but none is used for syslog...

How to easily parse syslog data into multi value field

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?