Re: transformation of the logs

Jananee_iNautix · ‎11-28-2013

Hi,
I was given logs of certain format and now i want to output the logs in different format.Below is the sample logs given
2013/11/22 00:03:21 [therws] User activity containing filename abc.txt
2013/11/22 00:03:21 [tergs] User activity containing filename cde.csv

I should extract fields from the above logs and output them in splunk following format as events.

Fri November 22 00:03:21 2013 threws abc.txt a

a is for ascii
b is for binary

Can this be done in splunk?The transformation of logs should take place not at search time.

yannK · ‎11-28-2013

At search time or at index time ?

At search time, you can extract all your fields, with rex and use a simple eval to create the needed field.
And when you export, use another eval to format/concatenate your events with all the fields, in the order you want

Please provide your props and transforms to understand what was done.

Jananee_iNautix · ‎11-28-2013

In props.conf i created a new sourcetype involving transformation part in it.
In transform.conf I didn give the regex pattern yet waiting for your answer to give a try.

Jananee_iNautix · ‎11-28-2013

I want at index time.

transformation of the logs

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!