Getting Data In

Is there a way to define the colon to be a name value pair separator?

ddrillic
Ultra Champion

We have cases such as the ldap audit log file -

dn: dc=<domain name>,dc=com
changetype: modify
replace: ds-sync-state
ds-sync-state: 0000016557BC19A55A110000004D
ds-sync-state: 0000016557BC93E3543100000048
ds-sync-state: 0000016557BC4A5858E300000045
ds-sync-state: 0000016557BCAC641C9300000045
ds-sync-state: 0000016557BCC49E1FF500000045
ds-sync-state: 0000016557BC7AD379F900000065
ds-sync-state: 0000016557BCDCD62ABB00000045
ds-sync-state: 0000016527034D6B075D00000001
ds-sync-state: 0000016557BC629E14FF00000090
ds-sync-state: 0000016557BC3205396F00000049

Is there a way to define the colon to be a name value pair separator? as obviously, none of these fields is being automatically extracted.

Tags (3)
0 Karma
1 Solution

FrankVl
Ultra Champion

Yes, I think you can define a DELIMS based extraction in transforms.conf, specifying that key/value pairs are separated by newline and key is separated from value by colon. Or apply a regex based extraction using something like ([^:]+):\s+([^\r\n]+) with FORMAT = $1::$2. I think that second option is how Splunk_TA_windows does it.

View solution in original post

0 Karma

FrankVl
Ultra Champion

Yes, I think you can define a DELIMS based extraction in transforms.conf, specifying that key/value pairs are separated by newline and key is separated from value by colon. Or apply a regex based extraction using something like ([^:]+):\s+([^\r\n]+) with FORMAT = $1::$2. I think that second option is how Splunk_TA_windows does it.

0 Karma

ddrillic
Ultra Champion

Thank you @FrankVl.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...