how to save fileds permanently after extract comma...

dsenapaty · ‎04-24-2020

Hello All,

I have the below string

2020-04-24 23:14:47,422 INFO http-8080-1 com.pscu.dxsimple.raApp - Response (Success:true)-(Validation:true)-(F_TAG:1402)-(CLIENT_ID:2113)-(Total_TT:4046ms)-(AppServer_TT:3419ms)

I need to extract the key value pairs that are "(Success:true)-(Validation:true)-(F_TAG:1402)-(CLIENT_ID:2113)-(Total_TT:4046ms)-(AppServer_TT:3419ms)" as specific fields.

I used index=testindex source="tomcat.txt"| extract pairdelim="\"{-}" kvdelim=":"

I am able to see the keyvalue being generated but i need to have this data persistant and saved permanently. How can i do this?

Please help

manjunathmeti · ‎04-25-2020

You can use inline field extraction. Add below configuration in props.conf. Fields are extracted whenever you search source=tomcat.txt. You can also use a sourcetype name in place of source name.

props.conf

[tomcat.txt]
EXTRACT-myfields = \(Success:(?<Success>\w+)\)-\(Validation:(?<Validation>\w+)\)-\(F_TAG:(?<F_TAG>\w+)\)-\(CLIENT_ID:(?<CLIENT_ID>\w+)\)-\(Total_TT:(?<Total_TT>\w+)\)-\(AppServer_TT:(?<AppServer_TT>\w+)\)

how to save fileds permanently after extract command

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Are you a member of the Splunk Community?

how to save fileds permanently after extract command

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...