Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex match that assign headers to line

nikorc
Loves-to-Learn Lots
‎08-12-2020 05:47 AM

I have a log file that has 3 different types of headers. There is a unique id field per line notifying me of what the headers should be. Is there a way to have splunk regex match the line with the unique id then assign headers to that line. There will be 3 different regexs matches with unique headers.

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-12-2020 07:59 AM

Hi

can you share those examples to community, so we could  better help you. 
r. Ismo

0 Karma
Reply

nikorc
Loves-to-Learn Lots
‎08-14-2020 11:01 AM

here is a sample of some data. 3rd comma-delimited field is the unique type identifier.  The 1st 6 fields all have a common header. Then the headers for the fields after these 6 will be different based on the 3rd field value.

Computer01,06/18/2019 18:15:09.000000,2,111,222,333,Below Adaptive,orange,Below Adaptive,orange,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,1.1000000000,2.1000000000,3.1000000000,4.1000000000
Computer01,06/18/2019 18:15:19.000000,2,111,222,333,Adaptive,black,Normal,black,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,12.1000000000,23.1000000000,34.1000000000,45.1000000000
Computer01,06/18/2019 18:15:14.000000,4,111,222,333,5,12.3450000000,67.8900000000,87.6500000000,987.6540000000,128,FREQ CHANGE,0,DEBUG STRING AND DATA,0x00000020,1.2.3.4:1301,112233
Computer01,06/18/2019 18:15:15.000000,4,111,222,333,6,12.3450000000,67.8900000000,87.6500000000,987.6540000000,128,NO ERROR,0,DEBUG STRING AND DATA,0x00000040,1.2.3.4:1301,112233
Computer01,06/18/2019 18:15:17.000000,3,111,222,333,444,555,666,777,888,999,Timeout,131.8,DEBUG STRING AND DATA,0x00000100,1.2.3.3:1301,4.5.6.6:1304,7.8.9.9:1307
Computer01,06/18/2019 18:15:18.000000,3,111,222,333,444,555,666,777,888,999,Unspecified Error,132.9,DEBUG STRING AND DATA,0x00000200,1.2.3.3:1301,4.5.6.6:1304,7.8.9.9:1307

 

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-14-2020 12:11 PM

Since the event is changed based on id field, you should write regex for each id.

I can help you with regex if you can share event for each id with field header.

————————————
If this helps, give a like below.
0 Karma
Reply

nikorc
Loves-to-Learn Lots
‎08-14-2020 12:24 PM

If you could give me an example using one of the types I should be able to get the rest done. I made some generic headers for the data.

HOSTNAME,DATE_TIME,TYPE,ID1,ID2,ID3,X_TRESHOLD,X_COLOR,Y_THRESHOLD,Y_COLOR,DEBUG_INFO,MEM_ADD,IP_PORT,DEBUG1,DEBUG2,DEBUG3,DEBUG4
Computer01,06/18/2019 18:15:09.000000,2,111,222,333,Below Adaptive,orange,Below Adaptive,orange,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,1.1000000000,2.1000000000,3.1000000000,4.1000000000

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...