How do I extract a semicolon separated field durin...

Oti47 · ‎12-06-2013

Hi I have a Log string event like this, between a different defined log format.
How could is separate the fields during the search time?

It is possible, to add the additional field definition into my standard definition at the property files?

Thanks.

SysH=1.0;MemU=4803;MemF=3241;SwpU=4927;SwpF=11160;PrcC=81;PrcTpCPU=(5140)C:\tools\eclipse\eclipse.exe=0.06, (3932)C:\Program Files\Java\jdk1.7.0_03\bin\javaw.exe=0.05, (2996)C:\Windows\system32\Dwm.exe=0.01, (4752)C:\Program Files (x86)\Mozilla Firefox\firefox.exe=0.01, (4276)C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE=0.01;PrcTpMem=(3932)C:\Program Files\Java\jdk1.7.0_03\bin\javaw.exe=1847120, (5140)C:\tools\eclipse\eclipse.exe=1444200, (4752)C:\Program Files (x86)\Mozilla Firefox\firefox.exe=1106056, (3668)C:\Program Files\Windows Sidebar\sidebar.exe=771540, (4644)C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe=649716;CPUH=0.96;CPULd=0.07;CPUNonIdl=0.12;MemH=1.0;NetDownR=eth3=1552, eth2=1552, eth8=1552, eth15=1552, eth16=1552;NetUpR=eth3=1123, eth2=1123, eth8=1123, eth11=0, eth13=0, eth12=0, eth15=1123, eth14=0, eth16=1123;

kristian_kolb · ‎12-06-2013

This looks like a classic example for a REPORT;

props.conf

[your sourcetype]
REPORT-blah = asdf

transforms.conf

[asdf]
DELIMS = ";", "="

How do I extract a semicolon separated field during search?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies