Splunk Search

Fields extraction from TXT file with fixed position varrying event formats in each line

mbasharat
Contributor

I need to monitor a text file.
Each line in this file is considered an event.
There are three different types of event formats in this file. Formats are called format 4, format 6 and format 8. They are all fixed position.

What I need is a RegEx or any better solution to extract fields in a way that:
- If event entry matches with format 4, then extract those fields accordingly as labelled. If not then look for format 6.
- If event entry matches with format 6, then extract those fields accordingly as labelled. If not then look for format 8.
- If event entry matches with format 8, then extract those fields accordingly as labelled.

Since all three formats are fixed position so event entry will definitely match one of the three format above as per our requirements. Please notice that field 1-5 are same in each format. Change starts happening beginning from field 6 and onwards. Look like I need a solution with lookahead or if-then-else in RegEx.

We used below for format 4 and it works fine. now challenge is to do conditional to have it check and extract for format 6 and format 8.

index=sample sourcetype=SAMPLE_CODE4 

| rex field=_raw "(?ms)^.{90}(?P.{1})" offset_field=_extracted_fields_bounds

| rex field=_raw "^.{17}(?P.{1})" offset_field=_extracted_fields_bounds0

| rex field=_raw "^.{0}(?P.{1})" offset_field=_extracted_fields_bounds1

| rex field=_raw "^.{59}(?P.{1})" offset_field=_extracted_fields_bounds2

| rex field=_raw "^.{12}(?P.{5})" offset_field=_extracted_fields_bounds3

| rex field=_raw "^.{60}(?P.{1})" offset_field=_extracted_fields_bounds4

| rex field=_raw "^.{2}(?P.{10})" offset_field=_extracted_fields_bounds5

| rex field=_raw "^.{61}(?P.{2})" offset_field=_extracted_fields_bounds6

| rex field=_raw "^.{77}(?P.{3})" offset_field=_extracted_fields_bounds7

| rex field=_raw "^.{1}(?P.{1})" offset_field=_extracted_fields_bounds8

| rex field=_raw "^.{63}(?P.{14})" offset_field=_extracted_fields_bounds9

| rex field=_raw "^.{80}(?P.{10})" offset_field=_extracted_fields_bounds10

| rex field=_raw "^.{18}(?P.{41})" offset_field=_extracted_fields_bounds11

| head 1000

See attached file. I need both search time extractions as well as configuring method of extraction in the config file as needed. Thanks in advance!!!!!

alt text

Addendum:
Thanks a lot for prompt feedbacks. I was doing some more samples, position fixing for spotted issues and slightly adjusting regex for that so thats why responding a bit late. Below is additonal FIXED test data and regex. I need below regex broken down into three formats so I can use it in direct search for testing pls. I have tried it on www.regex101.com and it is matching and breaking down good now. Please check.

Now when I try to upload this file for one time monitoring for testing, I have only two options from UI. Either to identify each line as an EVent OR to user RegEx. When I use 1st method, it does not allow me to use below RegEx to extract fields, however, it breaks each line as an even which is good. If I use the second method, It puts all sample data together and not extract the fields nor separate each event by each line.

I need below RegEx to be broken down into 3 for 3 formats, 4, 6 and 8 like @woodcock did in SPL so I can test it out there with sample data as you did please. You can do only first couple rows separated with ::: and we will take care of the rest. Thanks in advance

RegEx:

(?J)^(?<servicecenterCode>.)(?<sinonmode>.)(?<employeeId>.{10})(?<eventCode>.{5})(?<formatCode>4(?<variabledata>.{41})(?<commandcodeDefiner>.)(?<hitIndicator>.)(?<errorCode>..)(?<recordDate>.{14})(?<terminalId>.{4})(?<employeeNo>.{9})(?<servicecenterAccess>.)|6(?<customerId>.{9})(?<fileSourceCode>.)(?<customerIdType>.)(?<variabledata>.{30})(?<codeDefiner>.)(?<hitIndicator>.)(?<errorCode>..)(?<recordDate>.{14})(?<terminalId>.{4})(?<employeeId>.{9})(?<servicecenterAccess>.)|8(?<customerId>.{9})(?<fileSourceCode>.)(?<customerIdType>.)(?<mftCode>..)(?<planNumber>.{3})(?<period>.{6})(?<reasonCode>..)(?<caseStatusCode>.)(?<nameControl>.{4})(?<variabledata>.{12})(?<commandcodeDefiner>.)(?<hitIndicator>.)(?<errorCode>..)(?<recordDate>.{14})(?<terminalId>.{4})(?<employeeId>.{9})(?<servicecenterAccess>.))

Test Data:
fR1298548476IMFOL45811782951S94613201805330BVFT TY0120180730094327S017133330054j Gf P
cR0541654591SSNAD4FOE1323366S20766201804337VCKK @00320180730094327S017133330036j Hc D
cR6514218124EINAD4DOE1302364S25590201805331AHKJ N0520180730094327F041133330002j Gc F
cR7657215143SUMRY47779977772S03253201807334NCHE Y0220180730094327R002379327465 Ec R
cR5953482071INOLE41447259924E52121201801008DBTN @N0420180730094327R002133330091 Hc R
cR2898564174TXMOD46352542191E26920201802009KPDZ S00520180730094327K013133330050j Ic T
cR2876775191TXMOD40323175371S61226201807335YBOV @N0420180730094327S017133330043j Jc C
fT4708103013NAMES4FOE1323924S21496201803 4FXZD @00320180730094327R002133330092 Af

fR0226672024NAMEE4DOE1302923S02315201801 0UNCY SY0620180730094327F041133330002 Cf T
fT4443253213SUMRY49999999992S30463201803333FOZX T00120180730094327K013311133965 Df T
fP1420916797BMFOL44990396344E25120201803336HKMW @Y0120180730094327S017133330029 Ef T
kR5817124797TXMOD41333317076E20196201804 8HDNN T00220180730094327F041133330002j Gk T
kT1385586640NAMEI4LOE1323072S12910201807338IGCW Y0520180730094327K013133330007j Ak E
kT7026180021TXMOD41333301812S54795201806 6NEJS TY0620180730094327K013133330081 Ek P
kT1368976488INOLE41928598383S95910201801331POUK @00420180730094327K013133330006 Ik B
kT6241906114BMFOL48639820266E09076201801005JFOU SN0320180730094327K013133330071 Ck R
mT1565694940TXMOD41333318816S01811201802009BFMB SN0220180730094327S017133330002j Fm A
mP3400956518NAMEB4LOE1323073S71836201801 2CYPQ @Y0520180730094327F041133330007 Cm I
mT0860993636BMFOL41333317812S96115201802339TXAL TN0220180730094327F041133330081j Em C
mP3570066946TXMOD48680158211E94493201802 9NVKA TN0520180730094327F041133330050j Gm C
mT9350471607SUMRY43395544244S18645201807338XTXI T00520180730094327K013133330067j Dm 0
mT7945532965IMFOL46939011953S17292201807 7XUJN @Y0520180730094327K013133330038j Hm E
nP9107239233FINDS4MOE1323233E25241201801334JTMV TY0420180730094327K013133330023 Hn T
nR9886908780BMFOL45879043434S86927201806335TOUS SN0220180730094327R002133330064 An

nT1655002017BMFOL40389284782E11452201803337RDFT @00520180730094327K013133330059j Fn

nT1809006537SUMRY45827717751E11772201806008VLIZ @Y0620180730094327F041133330088j Fn S
nP8776887108IMFOL41136042474S31341201804005HSCY T00220180730094327R002133330099j An S
oT7447732003INOLE45299216573S07923201802 2OSJH Y0420180730094327K013303970591j Co C
oR1311120263SUMRY47957074552S17161201802 8IXZY @N0320180730094327F041133330081j Go T
oT0055598373SUMRY49919638613E51825201807333SEWQ TY0420180730094327R002133330096j Ao P
pP7215149590TXMOD41234567896E07625201804330UZDT SN0520180730094327R002750896893 Ap D
pR3044919804BMFOL41397076471S85267201803332DZEU SN0120180730094327S017133330079 Ep I
pP6477890655TXMOD42740203586E72127201801338DYCH @Y0520180730094327R002133330091 Fp C
tT7406671480FINDE4MOE1323233S58533201801 7JREW @Y0320180730094327R002133330023 Ct 0
tR8272783627TPIIP4MOE1323231E17923201807 4KFVL 00320180730094327S017133330023j Et F
tP1376447358TXMOD41234567894E03618201803 9YYSJ Y0620180730094327K013321231331j At P
tT8384273729TXMOD48704147666S31521201806 5PDWU TN0520180730094327S017133330015j Bt A
tR7020917196IMFOL47658161296S35359201806 4MTLM @00120180730094327R002133330084j It R
tP3721208587IMFOL44685944314E07368201806 3EFMG SN0320180730094327F041133330091 At F
tP0946457554BMFOL42512904223S22413201806334ZEZG TN0520180730094327S017133330062j At D
tT8358885950TXMOD48029926323E85699201805 7XVOJ SY0320180730094327K013133330029j Bt 0
tR6725387706TXMOD49901804524S10029201803003SKDR TN0420180730094327F041133330057j Ct B
uR0794067328INOLE48778236982S85621201807337YIMU T00520180730094327F041133330027 Fu D
uT7126960004TXMOD42856727322S25085201803331GPEX @00420180730094327R002133330087 Bu

uP8872619046INOLE41010449672S25802201802339QVRG TN0320180730094327S017133330064j Cu P
uT4988607071INOLE47912081553E64337201805 8HSQM SN0220180730094327F041133330076j Iu I
fT0471962955INOLE64823464134E95309201806008ZKLX S00120180730094327S017133330085j Hf C
fT3279240917INOLE61333300024E03804201801335BSFW @00220180730094327R002133330002 Df

cP4324323016INOLE65119172171S02477201807 6GWBP @N0420180730094327S017133330075 Ic 0
cT4547213298IMFOL61333317021E25793201801 1JHHW @00120180730094327K013133330002 Hc E
fT1722386972IMFOL66274531273S30353201804 5GAJP S00320180730094327R002133330019j Df D
fP8066089440SUMRY65767577066S31237201807 3DMVA N0420180730094327K013133330068 If R
fP0485546298TXMOD63561122034S60949201802336UYKK S00120180730094327R002133330044 Ff

kT6365702862SUMRY65523659821S17636201804004QUTW SY0520180730094327K013133330024j Fk 0
kP8580284912INOLE68025036804E38260201801339ZHCO 00520180730094327F041133330032 Jk T
kR3750882848BMFOL61148962912E11015201802004YLCT Y0120180730094327R002133330070 Bk A
kT8698598113IMFOL63008486593S07600201802339UUNM SY0420180730094327R002133330050j Hk E
mP6970348535TXMOD61365287331E72748201804334TKQU SN0320180730094327K013133330028j Dm I
mP4346669023TXMOD62447281613E97165201805335NROE TY0320180730094327S017133330024j Fm A
mR2254832389SUMRY65219572171S12941201803333FMMD TY0620180730094327F041133330017 Dm F
nP0791300073INOLE65299216573S32593201807005JGHT N0220180730094327R002790580021j Jn S
nP5237696211TXMOD66966905522E38294201802008GRNU S00120180730094327K013133330087j An R
nT3017798844IMFOL65860965632S52761201803000GAAF Y0420180730094327R002133330043j Jn A
nR3326954123TXMOD61549583014S26867201805005MURC SN0420180730094327S017133330093j In T
nT0861273555BMFOL61998010194E20651201802332VHDM TN0120180730094327R002133330059j Jn T
oP9036501288BMFOL61333318743S18404201805 3TXNE @N0620180730094327S017133330002j Fo E
oT1759941218TXMOD61333300021E71832201805002VIBE @N0320180730094327S017133330002 Eo I
oT6582800203BMFOL62446659214S32976201804 4FFXY @N0120180730094327R002133330017 Ao F
oR7939342733SUMRY69379014136E60957201803335RUWJ S00120180730094327R002133330098 Fo S
oP8862288714SUMRY68206040392E60825201803331HNBX T00220180730094327K013133330064 Go A
pP2769085422IMFOL61333300021E20141201804004RCWD TN0120180730094327K013133330002j Hp T
pP7409691286SUMRY62104877296E95805201805004FHJQ @00120180730094327K013133330038j Ep T
pT9068663789BMFOL69302987094E51001201806008ZGAZ TN0120180730094327K013133330077 Jp S
pR5149288095IMFOL60520590396S19802201804339ZWDX TY0420180730094327S017133330056 Cp

pP0633308829TXMOD69994222534E78363201807333WERI TN0520180730094327K013133330019j Ep S
pT7700784907INOLE66078403092E53076201801002QWEF @N0520180730094327K013133330056j Gp D
tT6886055451BMFOL61572105781E58414201803 9WJEB T00220180730094327K013133330063j Dt F
tR5241526864TXMOD62151614984E05704201802330QHOK TY0620180730094327K013133330013j At C
tP4417067141INOLE65375500761S06504201801 0WTQM @00120180730094327K013133330097 It F
tP5586690268TXMOD63100844686S11257201804335VUTI N0320180730094327S017133330012j Dt C
uT0554281764IMFOL68306186783E60385201805 4DAIB @00620180730094327K013133330099 Bu R
uR4461381008TXMOD63241903884E94776201804 2ZOFQ N0120180730094327F041133330053 Du S
uR4398039459BMFOL67319955666E53320201807004IAJE TN0520180730094327K013133330083 Hu S
cR8352776094BMFOL82862187046S06054201804338RCUW @00120180730094327S017133330048 Gc A
cR4800640192INOLE89652584754S93138201803001OMRS T00120180730094327R002133330008 Hc I
cR8985007583BMFOL82492120606E20531201805337MLGI @N0520180730094327F041133330016 Ac S
cP9888831767IMFOL83656331773S86861201803004YKHC T00320180730094327R002133330096j Hc T
cP8618959181SUMRY81944198781S45279201804000CADU 00220180730094327R002133330068 Gc 0
cT4521083787TXMOD82278039513S02272201804334NVDY @N0220180730094327F041133330034j Dc I
fP2564275283IMFOL80318031326E30882201801 5GHZR SY0420180730094327S017133330042j Gf A
fP4528534747IMFOL86708734682E60857201807 4QYXH T00220180730094327F041133330087j Df B
fR7161291737TXMOD88086378453E08129201806001HMET S00420180730094327K013133330055j Cf R
fR3735322969SUMRY87928205732E10427201807337LGME @00420180730094327K013133330022 Df I
kT4357356706INOLE89999999996E95908201802 6ZHSG @00420180730094327S017460292587 Fk S
kP0566601474BMFOL85154258532S21164201805333FKZH SN0620180730094327K013133330019 Gk P
kP6203899824TXMOD86113408923E64157201804 1WLXF 00220180730094327F041133330024j Dk D
kR1503975361BMFOL82128079591E52786201801 4QEQA TN0620180730094327S017133330048j Bk I
kR0588299223TXMOD84388149554E35796201801337WCSU @00120180730094327R002133330029j Ek F
mT9849663219IMFOL89999999994E93642201807 0PACC Y0620180730094327R002339340904j Im

mT2828410726BMFOL84853240732E05935201803004AWRM T00620180730094327K013133330060 Am A
mT9032854047TXMOD89419660584S45810201802006ZANV 00520180730094327F041133330018j Gm A
mP0697635410TXMOD82647299231S45874201807336OLNW @N0620180730094327K013133330031 Im P
mT5071611163IMFOL80689627656E64065201802 5UCNK 00220180730094327K013133330012j Im R
nT7246638337TXMOD81333317741S32395201806 0WKWN @N0520180730094327K013133330002 Fn S
nR5495138073SUMRY83794664972S07307201805 1VCWZ TY0320180730094327K013133330010j Dn S
nR2384675412BMFOL86169853296S25077201805333WBHW TN0320180730094327F041133330035j Gn I
oP0656761680IMFOL86340423763E11149201807001SBWM TY0220180730094327K013133330006j Bo T
oP0985178823TXMOD86064555104E64700201805001TIIK Y0420180730094327S017133330075j Go E
oR4013244087IMFOL83698777514E49302201803000DREY TY0320180730094327R002133330087j Ao E
oT9138665736IMFOL89163731651E02858201802007LGOA @00620180730094327F041133330049j Ho S
oR6611294272TXMOD87738266126S85914201805008KJFU S00520180730094327F041133330018 Bo E
pP1123052654BMFOL81333300743S51637201807 6RDUL SY0520180730094327S017133330002 Gp P
pR8042075137SUMRY80781949931E54658201805004VLLD N0220180730094327R002133330091j Cp E
pP0084188498IMFOL83666867631S30525201807 9AYAX @00220180730094327S017133330018 Cp T
pT6041235188IMFOL85464344773E06931201805004XWIN 00520180730094327R002133330002 Cp C
uT1539545402INOLE81333300023S23326201801 9WPLG TY0520180730094327S017133330002j Bu A
uR4927222962BMFOL85299216576E17285201802007CROQ TN0420180730094327K013944833579 Fu S
uR4609034898SUMRY80479401391S54577201805334YXKJ TN0120180730094327K013133330064j Cu C
uR2432538664BMFOL82972196553S09631201801 8CKNP @00220180730094327R002133330028j Gu E
uP7398842392TXMOD88709474323S85557201806338BTSH N0220180730094327K013133330099j Au E

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

This regex matches your sample events, but format 8 appears to missing the last 2 fields (Employee No and Center Access). Perhaps I missed something, but I think this gives you an idea of how to proceed.

(?J)^(?<branchCode>.)(?<mode>.)(?<employeeId>.{10})(?<eventCode>.{5})(?<format>4(?<data>.{30})(?<codeDefiner>.)(?<hzIndicator>.)(?<errorCode>..)(?<recordDate>.{14})(?<terminalId>.{4})(?<employeeNo>.{9})(?<centerAccess>.)|6(?<customerId>.{9})(?<fileSourceCode>.)(?<idType>.)(?<data>.{19})(?<codeDefiner>.)(?<hzIndicator>.)(?<errorCode>..)(?<recordDate>.{14})(?<terminalId>.{4})(?<employeeNo>.{9})(?<centerAccess>.)|8(?<customerId>.{9})(?<fileSourceCode>.)(?<idType>.)(?<mftCode>..)(?<planNumber>.{3})(?<period>.{6})(?<reasonCode>..)(?<caseStatusCode>.)(?<nameControl>.{4})(?<data>.{12})(?<codeDefiner>.)(?<hzIndicator>.)(?<errorCode>..)(?<recordDate>.{14})(?<terminalId>.{4}))

To extract the format code alone, use | rex field=format "(?<format>.)"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Only your Format4 data matches your chart, but in any case, here is how you would do it (with slight adjustments to match what you really have):

| makeresults 
| eval raw="bR7225256004BMFOL47779977771S58628201804333EFUJ S00420180730094327R002698517851j Jb P:::fR7161291737TXMOD88086378453E08129201806005PQRS S00420180730094327K013133330055j Cf R:::fR1298548476IMFOL45811782951S94613201805336UVWX TY0120180730094327S017133330054j Gf P:::fT0471962955INOLE64823464134E95309201806001ABCD S00120180730094327S017133330085j Hf C:::bP3729146654TXMOD61333301026E20361201803007VZHU N0320180730094327K013133330002 Bb 0:::fR3735322969SUMRY87928205732E10427201807339EFGH @00420180730094327K013133330023 Df I:::fP1420916797BMFOL44990396344E25120201803330IJKL @Y0120180730094327S017133330029 Ef T:::fP1420916797BMFOL44990396344E25120201803333BDES @Y0120180730094327S017133330029 Ef T:::bT9593420235IMFOL81333300022S45253201802 0ZXYN TY0420180730094327K013133330002 Cb P:::fP0485546298TXMOD63561122034S60949201802338ABCD S00120180730094327R002133330044 Ff:::fT4708103013BMFOL41333318024S21496201803 ABCDE @00320180730094327R002133330002 Af D:::fT3279240917INOLE61333300024E0380420180133FGHIJ @00220180730094327R002133330002 Df" 
| makemv delim=":::" raw 
| mvexpand raw 
| rename raw AS _raw 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex "^(?<Branch_Code>.{1})(?<Mode>.{1})(?<Employee_ID>.{10})(?<Event_Code>.{5})(?<Format_Code>.{1})(?<Variable_Data>.{30})(?<Code_Definer>.{1})(?<Hit_Indicator>.{1})(?<Error_Code>.{2})(?<Record_Date>.{14})(?<Terminal_ID>.{4})(?<Employee_No>.{9})(?<Center_Access>.{1})(?<F4_EXTRA>.{5})"
| rex "^(?<Branch_Code>.{1})(?<Mode>.{1})(?<Employee_ID>.{10})(?<Event_Code>.{5})(?<Format_Code>.{1})(?<Customer_ID>.{10})(?<File_Source_Code>.{1})(?<ID_Type>.{1})(?<Variable_Data>.{30})(?<Code_Definer>.{1})(?<Hit_Indicator>.{1})(?<Error_Code>.{2})(?<Record_Date>.{14})(?<Terminal_ID>.{4})(?<Employee_No>.{9})(?<Center_Access>.{1})(?<F6_EXTRA>.{5})"
| rex "^(?<Branch_Code>.{1})(?<Mode>.{1})(?<Employee_ID>.{10})(?<Event_Code>.{5})(?<Format_Code>.{1})(?<Customer_ID>.{9})(?<File_Source_Code>.{1})(?<ID_Type>.{1})(?<MFT_code>.{2})(?<Port_Number>.{3})(?<Period>.{6})(?<Reason_Code>.{2})(?<Case_Status_Code>.{1})(?<Name_control>.{4})(?<Variable_Data>.{12})(?<Code_Definer>.{1})(?<Hit_Indicator>.{1})(?<Error_Code>.{2})(?<Record_Date>.{14})(?<Terminal_ID>.{4})(?<Employee_No>.{9})(?<Center_Access>.{1})(?<F8_EXTRA>.{5})"
0 Karma

mbasharat
Contributor

Thanks A LOT @woodcock for promptness. Please see Addendum in question. Need some additional guidance pls. TY!!

0 Karma

woodcock
Esteemed Legend

So you accepted an answer which is fine. If you have additional needs, please post a new answer.

mbasharat
Contributor

Thanks @woodcock, all good at the moment. Used both but can accept only one. I have up-voted yours as well 🙂

0 Karma

woodcock
Esteemed Legend

I don't see the UpVote but that's the way you do it, for sure.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This regex matches your sample events, but format 8 appears to missing the last 2 fields (Employee No and Center Access). Perhaps I missed something, but I think this gives you an idea of how to proceed.

(?J)^(?<branchCode>.)(?<mode>.)(?<employeeId>.{10})(?<eventCode>.{5})(?<format>4(?<data>.{30})(?<codeDefiner>.)(?<hzIndicator>.)(?<errorCode>..)(?<recordDate>.{14})(?<terminalId>.{4})(?<employeeNo>.{9})(?<centerAccess>.)|6(?<customerId>.{9})(?<fileSourceCode>.)(?<idType>.)(?<data>.{19})(?<codeDefiner>.)(?<hzIndicator>.)(?<errorCode>..)(?<recordDate>.{14})(?<terminalId>.{4})(?<employeeNo>.{9})(?<centerAccess>.)|8(?<customerId>.{9})(?<fileSourceCode>.)(?<idType>.)(?<mftCode>..)(?<planNumber>.{3})(?<period>.{6})(?<reasonCode>..)(?<caseStatusCode>.)(?<nameControl>.{4})(?<data>.{12})(?<codeDefiner>.)(?<hzIndicator>.)(?<errorCode>..)(?<recordDate>.{14})(?<terminalId>.{4}))

To extract the format code alone, use | rex field=format "(?<format>.)"

---
If this reply helps you, Karma would be appreciated.
0 Karma

mbasharat
Contributor

Thanks A LOT @richgalloway for promptness. Please see Addendum in question and initial response of @woodcock. Need some additional guidance pls. TY!!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It would be helpful if you would paste some sample events of each type so we can test regular expressions. Please don't screenshot the data.

---
If this reply helps you, Karma would be appreciated.

woodcock
Esteemed Legend

I HATE SCREENSHOTTED DATA!

0 Karma

mbasharat
Contributor

Sure @ richgalloway. See below. Do notice that sometimes, one of the field/s may not have data but field position is fixed so that can be filled with "unknown" value or left blank. Please copy/paste below in notepad for looking.

Format Code 4 Sample breakdown:
b|R|7225256004|BMFOL|4|7779977771S58628201804333EFUJ |S|0|04|20180730094327|R002|698517851|j| Jb P

Format Code 4 Samples:
bR7225256004BMFOL47779977771S58628201804333EFUJ S00420180730094327R002698517851j Jb P
fR7161291737TXMOD88086378453E08129201806005PQRS S00420180730094327K013133330055j Cf R
fR1298548476IMFOL45811782951S94613201805336UVWX TY0120180730094327S017133330054j Gf P
fT0471962955INOLE64823464134E95309201806001ABCD S00120180730094327S017133330085j Hf C

Format Code 6 Sample breakdown:
b|P|3729146654|TXMOD|6133330102|6|E|20361201803007VZHU | |N|03|20180730094327|K013|133330002| Bb 0

Format Code 6 Samples:
bP3729146654TXMOD61333301026E20361201803007VZHU N0320180730094327K013133330002 Bb 0
fR3735322969SUMRY87928205732E10427201807339EFGH @00420180730094327K013133330023 Df I
fP1420916797BMFOL44990396344E25120201803330IJKL @Y0120180730094327S017133330029 Ef T
fP1420916797BMFOL44990396344E25120201803333BDES @Y0120180730094327S017133330029 Ef T

Format Code 8 Sample breakdown:
b|T|9593420235|IMFOL|8|133330002|2|S|45|253|201802| 4|N|XKN |T|Y|04|20180730094327|K013|133330002| | Cb P

Format Code 8 Samples:
bT9593420235IMFOL81333300022S45253201802 0ZXYN TY0420180730094327K013133330002 Cb P
fP0485546298TXMOD63561122034S60949201802338ABCD S00120180730094327R002133330044 Ff
fT4708103013BMFOL41333318024S21496201803 ABCDE @00320180730094327R002133330002 Af D
fT3279240917INOLE61333300024E0380420180133FGHIJ @00220180730094327R002133330002 Df

0 Karma

woodcock
Esteemed Legend

OK, so you told us where the field breaks are, but not the field names. And you use (?P<name>) variation so it ate you field names (do not use the P).

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...