Solved: Re: inputs.conf configuration for key value pair

dbcase · ‎05-17-2018

Hi,

I have the below data that I will be importing into splunk. Id like to be able to delimit based on the FIRST (and ONLY the first) colon in the line. How would I go about doing this?

Name: HD Front Driveway
    IP: 0.0.0.0
    ID: 11
    Mac: D4:21:22:C9:B4:62
    FW Ver: 3.0.02.51
    Manufacturer: iControl
    Model: iCamera2-C
    Video Size: LARGE
    Verified: true
    RSSI:  dB
    Supported Video Formats: [MJPEG, FLV, RTSP]
    Supported Video Codecs: [H264, MPEG4]
    FLV URL:
    MJPEG URL:
    API Version: 3.3
    MotionTurnedOn: true
    MotionSensitivy: 1 (LOW)
    Local Video Aspect Ratio: 16:9
    Local Video Resolution: 1280:720
    Remote Video Aspect Ratio: 16:9
    Remote Video Resolution: 1280:720

xpac · ‎05-18-2018

As an alternative - the answer from @richgalloway creates index-time extractions - this would be a working config for search-time extractions:

props.conf

[yoursourcetype]
REPORT-multifields = yoursourcetype-multifields

transforms.conf

[yoursourcetype-multifields]
REGEX = \s*([^:]+):(.*)[\r\n]
FORMAT = $1::$2

I shamelessly copied the regex from @somesoni2's comment 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

xpac · ‎05-18-2018

As an alternative - the answer from @richgalloway creates index-time extractions - this would be a working config for search-time extractions:

props.conf

[yoursourcetype]
REPORT-multifields = yoursourcetype-multifields

transforms.conf

[yoursourcetype-multifields]
REGEX = \s*([^:]+):(.*)[\r\n]
FORMAT = $1::$2

I shamelessly copied the regex from @somesoni2's comment 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

richgalloway · ‎05-17-2018

Try these settings. You'll need more, like TIME_PREFIX, etc., but these should handle the parsing.

props.conf:

[mysourcetype]
TRANSFORM-foo = foo

transforms.conf:

[foo]
REGEX = (?<_KEY_>[^:]+):\s*(?<_VAL_>[^\n]+)

---
If this reply helps you, Karma would be appreciated.

niketn · ‎05-17-2018

@richgalloway, I had something similar but Empty Key displaces the regular expression ie. line 13 and 14 in the question:

 FLV URL:
 MJPEG URL:

Following is the regex I was using: https://regex101.com/r/6JmpLF/1

\s+([^:]+):\s+(.+)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

somesoni2 · ‎05-17-2018

This should work (making the values optional)

REGEX = \s*(?<_KEY_>[^:]+):(?<_VAL_>.*)[\r\n]

https://regex101.com/r/6JmpLF/3

somesoni2 · ‎05-17-2018

What have you tried so far?

dbcase · ‎05-17-2018

well that is a fair question. I've not actually tried anything yet but I did look at KV_MODE=True but it appears that uses "=" as the delimiter and I wasn't sure how to change it. Then I'm looking at multiple ":" in a single line and thats where it went out of my ballpark.

inputs.conf configuration for key value pair

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!