Dear fellow splunkers,
I've got some events where the automatic field extraction of Splunk doesn't work. The log format looks like:
[log@1588 value="RASLOG"][timestamp@1588 value="2012-12-14T08:41:12.718453"][msgid@1588 value="SEC-1193"][seqnum@1588 value="26555"][severity@1588 value="INFO"]
Is there a way to create dynamic field extractions in the form of:
I'm aware that it's possible to create a field extraction for each of my fields by hand but I'm searching for a dynamic solution 🙂
In transforms.conf, define your extraction:
REGEX = \[([^@]+)@1588 value="([^"]+)"
FORMAT = $1::$2
Then refer to your extraction in props.conf
REPORT-customextraction = mycustomextraction
View solution in original post
Oh man, that's so ridiculous simple that I feel shamed now 😉 Thanks for that quick solution!