Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I create key/value pairs from a _raw field with only values?

joshua_hart
Explorer
‎07-18-2013 05:18 AM

I have a Symantec Messaging Gateway syslog input that provides syslog with no keys, only values. For example: 

2013-07-11T13:13:16-04:00 appliance-name ecelerity: 1373562795|d6038c16-b7fe96d000000710-2d-51dee7aae3dd|SENDER|some-email-address@domain.tld

Right now this entire event is contained within the "_raw" field. The log data is everything after "ecelerity:" and each value is delimited by a pipe character. What I'd like to do is create fields for those values and then index the event so I can search on those fields. The example above would have five fields:

  • Epoch Time
  • Unique ID
  • Action
  • Sender Address

It's important to note that the above example is but one among many. Some of the other events have more values and the keys for those values will differ based on the type of event (though everything up to and including the 'Action' field would be consistent across events).

What I need is the means to parse these events and then create rules for each event to add keys to the values. How can I do this? I'm thinking something in the props/transforms, but I'm not exactly sure how.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎07-18-2013 07:49 AM

You could start with the Splunk Interactive Field Extractor (IFX) to parse out your fields for you. It will generate the appropriate regex for you. Sometimes it may need to be tweaked though.

http://www.splunk.com/view/SP-CAAADUY
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/ExtractfieldsinteractivelywithIFX

And yes you are correct that you'll use props.conf and transforms.conf to manually extract out fields. The IFX will write out data to those config files so you'll see the examples it creates. You should see those additions under $SPLUNK_HOME/etc/users.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsatsearchtime

There is also a way to extract fields on the fly in a search if it's something less common and you don't already have a field:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/Extractfieldswithsearchcommands

View solution in original post

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎07-18-2013 01:18 PM

If your data originates from a file that contains a header, I would use automatic header-based fields: http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Extractfieldsfromfileheadersatindextime

0 Karma
Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎07-18-2013 07:49 AM

You could start with the Splunk Interactive Field Extractor (IFX) to parse out your fields for you. It will generate the appropriate regex for you. Sometimes it may need to be tweaked though.

http://www.splunk.com/view/SP-CAAADUY
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/ExtractfieldsinteractivelywithIFX

And yes you are correct that you'll use props.conf and transforms.conf to manually extract out fields. The IFX will write out data to those config files so you'll see the examples it creates. You should see those additions under $SPLUNK_HOME/etc/users.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsatsearchtime

There is also a way to extract fields on the fly in a search if it's something less common and you don't already have a field:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/Extractfieldswithsearchcommands

0 Karma
Reply
Solved! Jump to solution

joshua_hart
Explorer
‎08-09-2013 05:01 PM

Using the IFX seemed to work for now. I wasn't able to extract all the fields I was looking for, but I was able to get at what I needed for our purposes.

Ideally, if I had the option to format the data before being sent to syslog, I'd be happy. In fact, if Symantec didn't send Brightmail mail audit logs to syslog as separate events (each aspect of a single record is sent as a separate syslog event) I'd have a much easier time extracting fields.

Thanks for the tips, BTW.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...