Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Regex match that assign headers to line

nikorc
Loves-to-Learn Lots
‎08-12-2020 05:47 AM

I have a log file that has 3 different types of headers. There is a unique id field per line notifying me of what the headers should be. Is there a way to have splunk regex match the line with the unique id then assign headers to that line. There will be 3 different regexs matches with unique headers.

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-12-2020 07:59 AM

Hi

can you share those examples to community, so we could  better help you. 
r. Ismo

0 Karma
Reply

nikorc
Loves-to-Learn Lots
‎08-14-2020 11:01 AM

here is a sample of some data. 3rd comma-delimited field is the unique type identifier.  The 1st 6 fields all have a common header. Then the headers for the fields after these 6 will be different based on the 3rd field value.

Computer01,06/18/2019 18:15:09.000000,2,111,222,333,Below Adaptive,orange,Below Adaptive,orange,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,1.1000000000,2.1000000000,3.1000000000,4.1000000000
Computer01,06/18/2019 18:15:19.000000,2,111,222,333,Adaptive,black,Normal,black,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,12.1000000000,23.1000000000,34.1000000000,45.1000000000
Computer01,06/18/2019 18:15:14.000000,4,111,222,333,5,12.3450000000,67.8900000000,87.6500000000,987.6540000000,128,FREQ CHANGE,0,DEBUG STRING AND DATA,0x00000020,1.2.3.4:1301,112233
Computer01,06/18/2019 18:15:15.000000,4,111,222,333,6,12.3450000000,67.8900000000,87.6500000000,987.6540000000,128,NO ERROR,0,DEBUG STRING AND DATA,0x00000040,1.2.3.4:1301,112233
Computer01,06/18/2019 18:15:17.000000,3,111,222,333,444,555,666,777,888,999,Timeout,131.8,DEBUG STRING AND DATA,0x00000100,1.2.3.3:1301,4.5.6.6:1304,7.8.9.9:1307
Computer01,06/18/2019 18:15:18.000000,3,111,222,333,444,555,666,777,888,999,Unspecified Error,132.9,DEBUG STRING AND DATA,0x00000200,1.2.3.3:1301,4.5.6.6:1304,7.8.9.9:1307

 

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-14-2020 12:11 PM

Since the event is changed based on id field, you should write regex for each id.

I can help you with regex if you can share event for each id with field header.

————————————
If this helps, give a like below.
0 Karma
Reply

nikorc
Loves-to-Learn Lots
‎08-14-2020 12:24 PM

If you could give me an example using one of the types I should be able to get the rest done. I made some generic headers for the data.

HOSTNAME,DATE_TIME,TYPE,ID1,ID2,ID3,X_TRESHOLD,X_COLOR,Y_THRESHOLD,Y_COLOR,DEBUG_INFO,MEM_ADD,IP_PORT,DEBUG1,DEBUG2,DEBUG3,DEBUG4
Computer01,06/18/2019 18:15:09.000000,2,111,222,333,Below Adaptive,orange,Below Adaptive,orange,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,1.1000000000,2.1000000000,3.1000000000,4.1000000000

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...