Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Custom parsing

yhemaraj
Engager
‎09-26-2012 04:42 PM

I am rookie here.
I have a log of type
"2e 00000008 M 2050 nodemgr 09/10/21 20:01:11.860361 NODEMGR: Successfully set our time"
I would like to extract the fields as below.
deviceId moduleId level id moduleName time(YY,mm,DD HH:MM:SS) message
I do not want to parse the message at this point, but may want to parse a subset of structured messages at a later point.
How do I go about doing this?

Tags (2)
0 Karma
Reply

emiller42
Motivator
‎09-26-2012 05:28 PM

So two things you'll want to do:

First, create a stanza in transforms.conf that uses regex to parse out your fields. (Below is an example, which is based on the one line you posted. It may need to be tweaked)

[sourcetype_extraction]
REGEX = (\w+)\s+(\d+)\s+(\w+)\s+(\d+)\s+(\w+)\s+(\d+/\d+/\d+\s\d+:\d+:\d+\.\d+)\s(.*)
FORMAT = deviceId::$1 moduleId::$2 level::$3 id::$4 moduleName::$5 time::$6 message::$7

Then you'll want to create a stanza in your props.conf that applies the transform to your sourcetype.

[sourcetype]
REPORT-sourcetype = sourcetype_extraction

All of this is applied at search time, so will apply to anything you've already indexed, and can be changed without losing anything.

It's also worth noting that the timestamp should be getting extracted on index into the _time field, so you shouldn't have to explicitly pull it out. But it may be a good idea to do so anyway via the TIMEFORMAT setting in props.conf.

Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...