Getting Data In

Regex match that assign headers to line

nikorc
Loves-to-Learn Lots

I have a log file that has 3 different types of headers. There is a unique id field per line notifying me of what the headers should be. Is there a way to have splunk regex match the line with the unique id then assign headers to that line. There will be 3 different regexs matches with unique headers.

Labels (2)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

can you share those examples to community, so we could  better help you. 
r. Ismo

0 Karma

nikorc
Loves-to-Learn Lots

here is a sample of some data. 3rd comma-delimited field is the unique type identifier.  The 1st 6 fields all have a common header. Then the headers for the fields after these 6 will be different based on the 3rd field value.

Computer01,06/18/2019 18:15:09.000000,2,111,222,333,Below Adaptive,orange,Below Adaptive,orange,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,1.1000000000,2.1000000000,3.1000000000,4.1000000000
Computer01,06/18/2019 18:15:19.000000,2,111,222,333,Adaptive,black,Normal,black,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,12.1000000000,23.1000000000,34.1000000000,45.1000000000
Computer01,06/18/2019 18:15:14.000000,4,111,222,333,5,12.3450000000,67.8900000000,87.6500000000,987.6540000000,128,FREQ CHANGE,0,DEBUG STRING AND DATA,0x00000020,1.2.3.4:1301,112233
Computer01,06/18/2019 18:15:15.000000,4,111,222,333,6,12.3450000000,67.8900000000,87.6500000000,987.6540000000,128,NO ERROR,0,DEBUG STRING AND DATA,0x00000040,1.2.3.4:1301,112233
Computer01,06/18/2019 18:15:17.000000,3,111,222,333,444,555,666,777,888,999,Timeout,131.8,DEBUG STRING AND DATA,0x00000100,1.2.3.3:1301,4.5.6.6:1304,7.8.9.9:1307
Computer01,06/18/2019 18:15:18.000000,3,111,222,333,444,555,666,777,888,999,Unspecified Error,132.9,DEBUG STRING AND DATA,0x00000200,1.2.3.3:1301,4.5.6.6:1304,7.8.9.9:1307

 

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Since the event is changed based on id field, you should write regex for each id.

I can help you with regex if you can share event for each id with field header.

————————————
If this helps, give a like below.
0 Karma

nikorc
Loves-to-Learn Lots

If you could give me an example using one of the types I should be able to get the rest done. I made some generic headers for the data.

HOSTNAME,DATE_TIME,TYPE,ID1,ID2,ID3,X_TRESHOLD,X_COLOR,Y_THRESHOLD,Y_COLOR,DEBUG_INFO,MEM_ADD,IP_PORT,DEBUG1,DEBUG2,DEBUG3,DEBUG4
Computer01,06/18/2019 18:15:09.000000,2,111,222,333,Below Adaptive,orange,Below Adaptive,orange,DEBUG STRING AND DATA,0x00000002,1.2.3.4:1301,1.1000000000,2.1000000000,3.1000000000,4.1000000000

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...