Solved: Re: How to extract field values from a log record ...

DrFedtke · ‎08-13-2015

hi all,

we have data records like

posLabel=monitoring field posData=51.02 55.56 msg=xxxx

where variables' content include blanks.

my questions:

how can I advise splunk to include the entire string (incl. blanks)
to a variable. in this example, to assign "monitoring field" to variable
posLabel and "51.02 55.56" to posData?
is there any escape character defined to prevent that a "=" character
in my data becomes interpreted as a new variable namen?
for example, in case of "posData=x=5,y=9 " the value of posData
should be "x=5,y=9", and no x and y variables should become created.

thanks for any link or sample code.

best, and thanks to all
Caspar

woodcock · ‎08-13-2015

Like this:

[mySourceType]
TRANSFORMS-mySourceType = mySourceTypeKVPs

[mySourceTypeKVPs]
REGEX = ([^\s\=]+)=([^=]*)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = 1

woodcock · ‎08-13-2015

Like this:

[mySourceType]
TRANSFORMS-mySourceType = mySourceTypeKVPs

[mySourceTypeKVPs]
REGEX = ([^\s\=]+)=([^=]*)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = 1

How to extract field values from a log record including blanks in the data part?