Splunk Dev

how to save fileds permanently after extract command

dsenapaty
Explorer

Hello All,

I have the below string

2020-04-24 23:14:47,422 INFO http-8080-1 com.pscu.dxsimple.raApp - Response (Success:true)-(Validation:true)-(F_TAG:1402)-(CLIENT_ID:2113)-(Total_TT:4046ms)-(AppServer_TT:3419ms)

I need to extract the key value pairs that are "(Success:true)-(Validation:true)-(F_TAG:1402)-(CLIENT_ID:2113)-(Total_TT:4046ms)-(AppServer_TT:3419ms)" as specific fields.

I used index=testindex source="tomcat.txt"| extract pairdelim="\"{-}" kvdelim=":"

I am able to see the keyvalue being generated but i need to have this data persistant and saved permanently. How can i do this?

Please help

Tags (1)
0 Karma

manjunathmeti
Champion

You can use inline field extraction. Add below configuration in props.conf. Fields are extracted whenever you search source=tomcat.txt. You can also use a sourcetype name in place of source name.

props.conf

[tomcat.txt]
EXTRACT-myfields = \(Success:(?<Success>\w+)\)-\(Validation:(?<Validation>\w+)\)-\(F_TAG:(?<F_TAG>\w+)\)-\(CLIENT_ID:(?<CLIENT_ID>\w+)\)-\(Total_TT:(?<Total_TT>\w+)\)-\(AppServer_TT:(?<AppServer_TT>\w+)\)
0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...