Hi
I'm trying to "extract fields" with regular expressions for a specific position on a comma separated log file that always has the same number of fields on each row.
The file looks like this (one row):
2010-09-15 15:38:55 ,Default_TCr10.20_Webb.war,,ODRTEST01,HTTP,37,1,0,37,37,1,2010-09-15 15:33:50 ,2010-09-15 15:38:50 ,0,4.969857,0,0,0,2010-09-15 15:33:50,0
It's separated in 20 fields.
Lets say that I want the field at position 15 i.e. 4.969857 The problem for me how to solve this is that the fields after and before can be '', '0' or 'a date-time' and I can't get | (pipe) and parenthesis to work.
Is it possible solve in Splunk?
I'm using version 4.1.3.
If your events always have those 20 fields separated by commas, you should use a delimiter-based field extraction, as described here in the Knowledge Manual :
In your case, the following steps should work.
1 - Define the delimiter-based field extraction in $SPLUNK_HOME/etc/system/local/transforms.conf
[delimiter_based_extraction]
DELIMS = ","
FIELDS = field1, field2, field3, field4, field5, field6, field7, field8, field9, field10, field11, field12, field13, field14, field15, field16, field17, field18, field19, field20
2 - Call that extraction for the desired spec (source, sourcetype or host) in $SPLUNK_HOME/etc/system/local/props.conf
[my_sourcetype]
REPORT-delims = delimiter_based_extraction
The fields defined for extraction should now appear in the field picker.
If your events always have those 20 fields separated by commas, you should use a delimiter-based field extraction, as described here in the Knowledge Manual :
In your case, the following steps should work.
1 - Define the delimiter-based field extraction in $SPLUNK_HOME/etc/system/local/transforms.conf
[delimiter_based_extraction]
DELIMS = ","
FIELDS = field1, field2, field3, field4, field5, field6, field7, field8, field9, field10, field11, field12, field13, field14, field15, field16, field17, field18, field19, field20
2 - Call that extraction for the desired spec (source, sourcetype or host) in $SPLUNK_HOME/etc/system/local/props.conf
[my_sourcetype]
REPORT-delims = delimiter_based_extraction
The fields defined for extraction should now appear in the field picker.
Thanks, this will work for me.