event tagging ..Multiple format lines in same log ...

desi-indian · ‎01-19-2012

Hi ,
I am trying to do a field extraction for a log ...the issue I am facing is the field lay out remains constant works fine for 90 % time but for remaining 10 % the log format changes

Example :

when I have a message line with "Authenticated" In there the user_ID is 9 th field

BUT when I have "LOGOFF" in the line the User_ID is coming in as 7 th field .

How do I define my props/transforms so I am capturing ALL User_IDs irrespective If it comes in 7 th field or 9 th field ?

Thanks for the help !

aalanisr26 · ‎04-16-2015

if for example you have:

First Kind of event,Some More field,Authentication,7,More,More
Second Kind of event,Data,Data,Data,Data,Data,Data,LogOFF,7,More,More

if you want to get the 7

(Authentication\,\d+|LogOFF\,\d)

lguinn2 · ‎01-22-2012

And a few lines from a log file, showing the alternate formats, would be helpful, too. You should anonymize any identifying data. Thanks!

ftk · ‎01-19-2012

Can you post your current extractions from props.conf and transforms.conf?

event tagging ..Multiple format lines in same log file

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

event tagging ..Multiple format lines in same log file

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...