event tagging ..Multiple format lines in same log ...

desi-indian · ‎01-19-2012

Hi ,
I am trying to do a field extraction for a log ...the issue I am facing is the field lay out remains constant works fine for 90 % time but for remaining 10 % the log format changes

Example :

when I have a message line with "Authenticated" In there the user_ID is 9 th field

BUT when I have "LOGOFF" in the line the User_ID is coming in as 7 th field .

How do I define my props/transforms so I am capturing ALL User_IDs irrespective If it comes in 7 th field or 9 th field ?

Thanks for the help !

aalanisr26 · ‎04-16-2015

if for example you have:

First Kind of event,Some More field,Authentication,7,More,More
Second Kind of event,Data,Data,Data,Data,Data,Data,LogOFF,7,More,More

if you want to get the 7

(Authentication\,\d+|LogOFF\,\d)

lguinn2 · ‎01-22-2012

And a few lines from a log file, showing the alternate formats, would be helpful, too. You should anonymize any identifying data. Thanks!

ftk · ‎01-19-2012

Can you post your current extractions from props.conf and transforms.conf?

event tagging ..Multiple format lines in same log file

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

event tagging ..Multiple format lines in same log file

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25