Solved: inputs.conf configuration for key value pair

dbcase · ‎05-17-2018

Hi,

I have the below data that I will be importing into splunk. Id like to be able to delimit based on the FIRST (and ONLY the first) colon in the line. How would I go about doing this?

Name: HD Front Driveway
    IP: 0.0.0.0
    ID: 11
    Mac: D4:21:22:C9:B4:62
    FW Ver: 3.0.02.51
    Manufacturer: iControl
    Model: iCamera2-C
    Video Size: LARGE
    Verified: true
    RSSI:  dB
    Supported Video Formats: [MJPEG, FLV, RTSP]
    Supported Video Codecs: [H264, MPEG4]
    FLV URL:
    MJPEG URL:
    API Version: 3.3
    MotionTurnedOn: true
    MotionSensitivy: 1 (LOW)
    Local Video Aspect Ratio: 16:9
    Local Video Resolution: 1280:720
    Remote Video Aspect Ratio: 16:9
    Remote Video Resolution: 1280:720

xpac · ‎05-18-2018

As an alternative - the answer from @richgalloway creates index-time extractions - this would be a working config for search-time extractions:

props.conf

[yoursourcetype]
REPORT-multifields = yoursourcetype-multifields

transforms.conf

[yoursourcetype-multifields]
REGEX = \s*([^:]+):(.*)[\r\n]
FORMAT = $1::$2

I shamelessly copied the regex from @somesoni2's comment 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

xpac · ‎05-18-2018

As an alternative - the answer from @richgalloway creates index-time extractions - this would be a working config for search-time extractions:

props.conf

[yoursourcetype]
REPORT-multifields = yoursourcetype-multifields

transforms.conf

[yoursourcetype-multifields]
REGEX = \s*([^:]+):(.*)[\r\n]
FORMAT = $1::$2

I shamelessly copied the regex from @somesoni2's comment 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

richgalloway · ‎05-17-2018

Try these settings. You'll need more, like TIME_PREFIX, etc., but these should handle the parsing.

props.conf:

[mysourcetype]
TRANSFORM-foo = foo

transforms.conf:

[foo]
REGEX = (?<_KEY_>[^:]+):\s*(?<_VAL_>[^\n]+)

---
If this reply helps you, Karma would be appreciated.

niketn · ‎05-17-2018

@richgalloway, I had something similar but Empty Key displaces the regular expression ie. line 13 and 14 in the question:

 FLV URL:
 MJPEG URL:

Following is the regex I was using: https://regex101.com/r/6JmpLF/1

\s+([^:]+):\s+(.+)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

somesoni2 · ‎05-17-2018

This should work (making the values optional)

REGEX = \s*(?<_KEY_>[^:]+):(?<_VAL_>.*)[\r\n]

https://regex101.com/r/6JmpLF/3

somesoni2 · ‎05-17-2018

What have you tried so far?

dbcase · ‎05-17-2018

well that is a fair question. I've not actually tried anything yet but I did look at KV_MODE=True but it appears that uses "=" as the delimiter and I wasn't sure how to change it. Then I'm looking at multiple ":" in a single line and thats where it went out of my ballpark.

inputs.conf configuration for key value pair

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation