Hello All,
Can any one help me on this event injection in Splunk.
sample data
122.0.0.2 NOT_AVAILABLE abc Agent= 2021-09-27 11:15:39 5648 WARN xyz
NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE 2021-09-27 11:16:08 5432 DEBUG Field: xyz
- value: ID
- unformatted value: vvcsa
- formatted value: abcsc
- returnType:
- boost: 1
- append: False
Here it have to be two events with respective date time.
Thank you for the reply.
The event should be broken by follows
1st Event
122.0.0.2 NOT_AVAILABLE abc Agent= 2021-09-27 11:15:39 5648 WARN xyz
2nd Event
NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE 2021-09-27 11:16:08 5432 DEBUG Field: xyz
- value: ID
- unformatted value: vvcsa
- formatted value: abcsc
- returnType:
- boost: 1
- append: False
I presume "NOT_AVAILABLE" represents sensitive data that can't be shared in a public forum. Regrettably, this method of sanitization makes it rather difficult to create a regex that Splunk can use to split events. Can you sanitize the data another way?
whenever there is no data in logs its represent as "NOT_AVAILABLE" entry.
Please do consider this in regex as well.
So the event could contain "NOT_AVAILABLE" or it could contain anything else, right? That's makes it nearly impossible to define a rule for separating events. I'm not sure I can help here.
Its can contain the IP address or if its empty then it contain "NOT_AVAILABLE".
Please do let me know if it help.
Please show where the event should be broken.