Splunk Search

Field extraction with escaped character or control character

Explorer

Hello, my user tried to feed in the CSV like log file in the Splunk and I have asked to do the field extraction. With the help from here, the task is almost can be done.
However, they required the field extraction can handle the escape character and control character, for example the raw log is as follows.

"2018-12-12T03:16:07Z","4B82113678C1ADDCF","4976","Test 20190109","Test\, analytics","test line 1\ntest line 2\ntest line 3","40000","2018-12-12T03:14:00Z","2018-12-12T04:14:00Z","Rm111"

or following (Control C as delimiters between each field)

"2018-12-19T10:04:29Z"^C"4B82113678C1ADDCFE81934078258730D08EDC49AF44B9DF683ED28961F39D54"^C"4978"^C"Test analytics 0109"^C"Test analytics with un-escaped double quote"^C"Test analytics with "un-escaped" double quote""40000"^C"2018-12-19T10:03:00Z"^C"2018-12-19T11:03:00Z"^C"Rm111"

The reason why have this requirement as the log is CSV like in first version which is in the format
"2018-12-12T03:16:07Z","4B82113678C1ADDCF","4976","Test 20190109","Test, analytics","test line 1 test line 2 test line 3","40000","2018-12-12T03:14:00Z","2018-12-12T04:14:00Z","Rm111"

and my regex is

^"($ms)(?.)","(?.)","(?.)","(?.)","(?.)","(?.)","(?.)","(?.)","(?.)","(? .)"$

This able to handle most cases but since the description and name can be freely inputted by user, if there are "," pattern in the input, the field extraction would be wrong. Therefore we are looking for this issue.

Would you please help me on this case as I do not have any idea on this.

Thank you

0 Karma

Champion

Hi @kcchu01

Please try this rex

"(?P<field1>(.*))"[,|\cC]"(?P<field2>(.*))"[,|\cC]"(?P<field3>(.*))"[,|\cC]"(?P<field4>(.*))"[,|\cC]"(?P<field5>(.*))"[,|\cC]"(?P<field6>(.*))"[,|\cC]"(?P<field7>(.*))"[,|\cC]"(?P<field8>(.*))"[,|\cC]"(?P<field9>(.*))"[,|\cC]"(?P<field10>(.*))"
0 Karma

Champion

@kcchu01 Whether it works?

0 Karma