Splunk Search

Events with Tab Delimited values

akshatj2
Path Finder

Hi All,

I have some logs which are mostly tab delimited I used props and transforms to set up the delimited extractions but in a few logs we have back slash("\") as a field value. Looks like Splunk is unable to handle the same with delimited extractions.

has anyone faced similar issue earlier or if there is any solution for the same.

Example Below:

Sample Logs:
Log1: Hostname abc \ xyz
Log2: Hostname abc domain\username xyz

Currently with delimited extraction: I am getting below values
Log 1:
Field 1: Hostname
Field 2:abc
Field 3: \

xyz

Log 2:
Field 1: Hostname
Field 2:abc
Field 3: domain\username
Field 4: xyz

Tags (1)
0 Karma

Sukisen1981
Champion

you need 3 backslashes
somethinf like this

[source::blah blah]
SEDCMD-removebackslsh = s/\\//g

test on the web first

   | makeresults 
         |  eval x="Hostname abc \ xyz" 

     | rex mode=sed field=x "s/\\\//g"
0 Karma

Sukisen1981
Champion

hi @ akshatj2
Please accept the answer if it helped resolve your issue, or let us know what more is needed to resolve your issue

0 Karma

akshatj2
Path Finder

Hi Sukisen

Thank you for suggestion but my we do not want to remove the backslash available. We wanted to parse that backslash as a filed value using delimiter. Looks like I have found a solution though I am just testing it and should post the answer soon.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...