Can anyone provide me a simple example for using R...

zcwang · ‎08-26-2015

Could anyone provide me a simple example for using REGEX with DELIMS? The event in my scenario is full of delimiter-separated field/value pairs, so I used two sets of quoted delimiters. However, the first set of delimiters might be either "," or " ". So I wonder if I could use an OR for the first delimiter. Thanks!

Richfez · ‎11-19-2015

zcwang,

An example of the item in question would make this easier, but I'll try:

Any of the delimiter characters you specify will be considered a delimiter. The docs for transforms.conf provides an example of this

[multiple_delims]
DELIMS = "|;", "=:"

Which they describe as The above example extracts key-value pairs which are separated by '|' or ';', while the key is delimited from value by '=' or ':'.

So that would use either | or ; for the field separators and either one of = or : as the field=value separator. This would match log lines like

|field1=val1;field2=val2|field3:val3;field4=val4;

and pull out of them

field1=val1
field2=val2
field3=val3
field4=val4

MuS · ‎08-26-2015

providing some sample events will be useful in this case.....

Can anyone provide me a simple example for using REGEX with DELIMS?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

Can anyone provide me a simple example for using REGEX with DELIMS?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions