Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex match that assign headers to line

nikorc
Loves-to-Learn Lots
‎08-12-2020 05:47 AM

I have a log file that has 3 different types of headers. There is a unique id field per line notifying me of what the headers should be. Is there a way to have splunk regex match the line with the unique id then assign headers to that line. There will be 3 different regexs matches with unique headers.

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-12-2020 07:59 AM

Hi

can you share those examples to community, so we could  better help you. 
r. Ismo

0 Karma
Reply

nikorc
Loves-to-Learn Lots
‎08-14-2020 11:01 AM

here is a sample of some data. 3rd comma-delimited field is the unique type identifier.  The 1st 6 fields all have a common header. Then the headers for the fields after these 6 will be different based on the 3rd field value.

Computer01,06/18/2019 18:15:09.000000,2,111,222,333,Below Adaptive,orange,Below Adaptive,orange,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,1.1000000000,2.1000000000,3.1000000000,4.1000000000
Computer01,06/18/2019 18:15:19.000000,2,111,222,333,Adaptive,black,Normal,black,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,12.1000000000,23.1000000000,34.1000000000,45.1000000000
Computer01,06/18/2019 18:15:14.000000,4,111,222,333,5,12.3450000000,67.8900000000,87.6500000000,987.6540000000,128,FREQ CHANGE,0,DEBUG STRING AND DATA,0x00000020,1.2.3.4:1301,112233
Computer01,06/18/2019 18:15:15.000000,4,111,222,333,6,12.3450000000,67.8900000000,87.6500000000,987.6540000000,128,NO ERROR,0,DEBUG STRING AND DATA,0x00000040,1.2.3.4:1301,112233
Computer01,06/18/2019 18:15:17.000000,3,111,222,333,444,555,666,777,888,999,Timeout,131.8,DEBUG STRING AND DATA,0x00000100,1.2.3.3:1301,4.5.6.6:1304,7.8.9.9:1307
Computer01,06/18/2019 18:15:18.000000,3,111,222,333,444,555,666,777,888,999,Unspecified Error,132.9,DEBUG STRING AND DATA,0x00000200,1.2.3.3:1301,4.5.6.6:1304,7.8.9.9:1307

 

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-14-2020 12:11 PM

Since the event is changed based on id field, you should write regex for each id.

I can help you with regex if you can share event for each id with field header.

————————————
If this helps, give a like below.
0 Karma
Reply

nikorc
Loves-to-Learn Lots
‎08-14-2020 12:24 PM

If you could give me an example using one of the types I should be able to get the rest done. I made some generic headers for the data.

HOSTNAME,DATE_TIME,TYPE,ID1,ID2,ID3,X_TRESHOLD,X_COLOR,Y_THRESHOLD,Y_COLOR,DEBUG_INFO,MEM_ADD,IP_PORT,DEBUG1,DEBUG2,DEBUG3,DEBUG4
Computer01,06/18/2019 18:15:09.000000,2,111,222,333,Below Adaptive,orange,Below Adaptive,orange,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,1.1000000000,2.1000000000,3.1000000000,4.1000000000

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...