Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Tab separated events in log - how do I parse it into fields?

brent_weaver
Builder
‎02-13-2017 04:31 AM

I dont know why I cannot get this to work BUT, I have a log that is TSV and I want to carve out the fields. Beyond TSV the first field needs to be parsed as colon separated and my timestamp is the second part of that first field. How do I accomplish this? These are actually bro logs that do not parse correctly with he Spunk App for bro IDS. This app is for v2.4< and we are on 2.5. Any help is much appreciated!

Reply

jkat54
SplunkTrust
SplunkTrust
‎02-13-2017 08:09 AM

Here's one way, put this props on your forwarders & indexers.

[sourcetypeName]
INDEXED_EXTRACTIONS=TSV
FIELD_NAMES = _time, fielda, fieldb, fieldc
0 Karma
Reply

brent_weaver
Builder
‎02-13-2017 08:16 AM

Here is my props.conf:

splunk[/opt/splunk/etc/apps/bro/local] # cat props.conf
[bro]
INDEXED_EXTRACTIONS = TSV
FIELD_NAMES = field1, field2, field3, field4
splunk[/opt/splunk/etc/apps/bro/local] #

This did not work, I am sorry.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-13-2017 08:24 AM

I noticed this is in /opt/splunk... Do you have a distributed environment?

Can you explain the integration's architecture like below?

bro logs -> universal forwarder -> indexer -> search heads

or maybe

bro logs -> indexer & search head

etc.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-13-2017 07:32 AM

I find it hard to believe the bro logs dont parse correctly with the splunk app for bro IDS. Did you follow the installation instructions completely?

Do you have a distributed splunk install? If so, where did you put the props?

0 Karma
Reply

brent_weaver
Builder
‎02-13-2017 08:03 AM

I did follow the instructions, which clearly state that it is compatible with =

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-13-2017 06:11 AM

Some sample data would be helpful.

---
If this reply helps you, Karma would be appreciated.
Reply

brent_weaver
Builder
‎02-13-2017 08:05 AM

A sample data would be:

1/3/2016 11:05:05\tfield1\tfield2\tfield3

please note that I cannot put the tabs in there so I used the \t esc character. This is just a sample of data for testing purposes.
Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...