event 1:
31.138.204.1 | ssh | o*1N0HIQQx434x12481145x1 | ZI53713 | 2018-05-28 07:14:47,848 | SSH - piv-receive-pack '/hvq849/spcp-mdo-scoring.git' | - | 0 | 15122 | 738 | **push**, ssh:user:id:121237 | 1595| 10togc8 |
event 2:
31.138.204.1 | ssh | i*1N0HIQQx434x12481145x1 | ZI53713 | 2018-05-28 07:14:47,848 | SSH - piv-receive-pack '/hvq849/spcp-mdo-scoring.git' | - | - | - | - | push, ssh:user:id:121237 | - | -|
I have two type of events and in some events the item after the second pipebar starts with 'o*' and in others it starts with 'i*'.
How do I formulate a regex so that I can search either type of events?
@zacksoft Your field structure seems same for both events which can be easily extracted as INDEXED_EXTRACTIONS = psv
. You can have an additional field created using regex field extraction
and/or eval transform
to call o
as output
and i
as input
.
If your field names are actually completely different for two events and you want separate field extractions for both then one of the options I would try is to use regex based on this i
or o
match using props.conf and transforms.conf while indexing (on heavy forwarder or indexer) to route the events to two separate sourcetypes. Then for each sourcetype define their own field extraction. Refer to Splunk documentation Routing and Filtering Data
Please let us know if you need further help with any of the above approaches.
@niketnilay What I essentially want is, "Check for the field after second pipebar and if it starts with 'i' then exclude that event from the base search itself".
All the events where the item after second pipebar begins with i (example i*1N0HIQQx434x12481145x1) in unnecessary for me
Not at forwarder level. In the query itself we are looking to parse the events and extract the value of fields (such as ZI53713, 1595 ,10togc8), if the field after second pipeline starts with 'o'.
The events where the item after the second pipebar starts with 'i' should be excluded.
Hope I am not confusing.
A sample SPL will help.
@niketnilay
All of the events in our log comes in pair (just like the example I have provided). The only difference between the two paired event is i* or o* indicating input and output transaction.
The event with o* contains a value 1595. That value indicates the response time of the entire transaction.
And 'push' indicates the transaction type.
The ultimate goal is to identify the response time per each transaction from the paired event.
Try this.. Replace FIELD_NAME
with whatever you want the field to be called
ssh\s\|\s(?<FIELD_NAME>\S+)
'ssh' isn't always going to be the field after first pipe.
What I essentially want is, "Check for the field after second pipebar and if it starts with 'i' then exclude that event from the base search itself".
All the events where the item after second pipebar begins with i (example i*1N0HIQQx434x12481145x1) in unnecessary for me.