Parse A field that contains many Portential other ...

cbrownlee · ‎07-18-2017

I am trying to parse a field that has much data and the fields will always be the same. Rex field will be too long to use it as often as I use it. The field names will be the names before the colon. For example ackn_time=1500394536, application=websphere Application Server

additional_info={ackn_time:1500394536,u_message_object:SETLWEB_C1:27577:snossd08.here.com:::JVM,receiving_time:1500394536,service_name:snossd08.here.com,message_number:54ad72a8-6bd4-71e7-01a0-0a8bc02b0000,notification_flag:0,u_message_source:WBSSPI_0005(7.401),trouble_tick_flag:0,u_message_notification_flag:0,msg_source_name:WBSSPI_0005(7.401),application:websphere Application Server,message_group:WBSSPI,u_message_group:WBSSPI,cma_value:WBSSPI-0005.2: Major threshold,u_cmdb_ci_appl:websphere Application Server,u_message_trouble_ticket_flag:0,object:SETLWEB_C1:27577:sawasd08.dtcc.com:::JVM}

Any help would be great!!

coltwanger · ‎07-18-2017

I think what you'll want to do is create a transforms.conf for this sourcetype that creates the fields for you based on your regex. You will want to define what constitutes a field name (after a comma, before a colon) and what constitutes a field value (after the colon and before the comma). Then use FORMAT = $1::$2 to have Splunk figure out the field and values for you when you search.

See this thread for an example:
https://answers.splunk.com/answers/150530/how-to-autofill-field-name-with-field-extraction-or-dynami...

Parse A field that contains many Portential other fields

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?