Solved: Custom Search - Help needed.

nandipatisunil · ‎10-22-2013

I have trap data coming onto my Splunk Server ... the data looks like this

1.3.6.1.4.1.3279.1.1.8.1.35.2 = ObjectSyntax: simple=SimpleSyntax: string=application_name

my key is "1.3.6.1.4.1.3279.1.1.8.1.35.2" and my value is at the end "application_name"

can some one help me with the search query here.

jtrucks · ‎10-28-2013

Assumption: Every event has the same data between the OID and the application_name.

Use a transform. Perhaps something like this (based on an answers entry😞

In props.conf do:

[yoursourcetypehere]
REPORT-myoidextract = getmyoiddata

Then in transforms.conf do:

[getmyoiddata]
REGEX = (?.*)\s=\sObjectSyntax:\ssimple=SimpleSyntax:\s+string=(?.*)
FORMAT = $1::$2

See if that works (or muss with it some if it's not exact).

--
Jesse Trucks
Minister of Magic

jtrucks · ‎10-28-2013

Assumption: Every event has the same data between the OID and the application_name.

Use a transform. Perhaps something like this (based on an answers entry😞

In props.conf do:

[yoursourcetypehere]
REPORT-myoidextract = getmyoiddata

Then in transforms.conf do:

[getmyoiddata]
REGEX = (?.*)\s=\sObjectSyntax:\ssimple=SimpleSyntax:\s+string=(?.*)
FORMAT = $1::$2

See if that works (or muss with it some if it's not exact).

--
Jesse Trucks
Minister of Magic

nandipatisunil · ‎10-28-2013

This did my job

REGEX = \s1.3.6.1.4.1.3279.1.1.8.1.35.2\s=\sObjectSyntax:\s+simple=SimpleSyntax:\s+string=(?.*)

... but had to also mention the below part ... since it was writing the rest of the message also to the above one.

\s+\s+\s1.3.6.1.4.1.3279.1.1.8.1.35.3\s=\sObjectSyntax:\s+simple=SimpleSyntax:\s+string=(?.*)

Thanks Mr. JTrucks.

nandipatisunil · ‎10-28-2013

I am trying to create custom key-value pairs ... my key is "1.3.6.1.4.1.3279.1.1.8.1.35.2" and my value is at the end "application_name".

lukejadamec · ‎10-28-2013

What are you searching for exactly?

Custom Search - Help needed.