Solved: Unstructured Data different fields from one event ...

heloma · ‎04-07-2017

hi,
i am trying to figure out how to parse such a log file:

from server 1
NAME ; JAMES
PERFORMANCE ; 90/100
from server 1
NAME ; TONY
SUCCESS ; 60/80
from host 1
NAME ; ANNA
PERFORMANCE ; 70/100

as you can see, the name of the fields are changing and so are the values.
The event delimiter BREAK_ONLY_BEFORE is "from server".

tny idea how to parse this ?

thanks.

heloma.

richgalloway · ‎04-07-2017

Try this in your props.conf

REGEX = ([^;]*) ; (.*)
FORMAT = $1::$2

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎04-07-2017

Try this in your props.conf

REGEX = ([^;]*) ; (.*)
FORMAT = $1::$2

---
If this reply helps you, Karma would be appreciated.

heloma · ‎04-08-2017

no luck!
what I am looking for, is to auto-extract NAME, PERFORMANCE, SUCESS as new fields and 90/100 , etc as values.
any hint ?

thks

richgalloway · ‎04-08-2017

My apologies, the REGEX and FORMAT attributes should go in transforms.conf. Like this:

[semicolon]
REGEX = ([^;]*) ; (.*)
FORMAT = $1::$2

Then put a reference to the transform in props.conf:

[MySourcetype]
TRANSFORMS-semicolon-separated = semicolon

---
If this reply helps you, Karma would be appreciated.

heloma · ‎04-09-2017

Excellent! thanks.

Unstructured Data different fields from one event to another.