Solved: Custom dynamic field extraction

Simon · ‎12-14-2012

Dear fellow splunkers,

I've got some events where the automatic field extraction of Splunk doesn't work. The log format looks like:

[log@1588 value="RASLOG"][timestamp@1588 value="2012-12-14T08:41:12.718453"][msgid@1588 value="SEC-1193"][seqnum@1588 value="26555"][severity@1588 value="INFO"]

Is there a way to create dynamic field extractions in the form of:

[<key>@1588 value=<value>]

I'm aware that it's possible to create a field extraction for each of my fields by hand but I'm searching for a dynamic solution 🙂

Thanks
Simon

Ayn · ‎12-14-2012

Sure.

In transforms.conf, define your extraction:

[mycustomextraction]
REGEX = \[([^@]+)@1588 value="([^"]+)"
FORMAT = $1::$2

Then refer to your extraction in props.conf

[mysourcetype]
REPORT-customextraction = mycustomextraction

View solution in original post

Ayn · ‎12-14-2012

Sure.

In transforms.conf, define your extraction:

[mycustomextraction]
REGEX = \[([^@]+)@1588 value="([^"]+)"
FORMAT = $1::$2

Then refer to your extraction in props.conf

[mysourcetype]
REPORT-customextraction = mycustomextraction

Simon · ‎12-14-2012

Oh man, that's so ridiculous simple that I feel shamed now 😉 Thanks for that quick solution!

Custom dynamic field extraction

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!