Splunk Search

How to break an incoming event into searchable fields?

Path Finder

I am struggling to figure out how to break an incoming event into [searchable] fields and am hoping someone could point me in the right direction.

See my data below which is received as you see it and without an index line, per se. I have been reading the online docs, answers, investigating props.conf and playing with regex to pull out the data fields, but am not getting anywhere. Can someone assist?

The fields that I want to utilze are from "INCATOT" through "MIDFAIL" and the corresponding values are "31614" through "0", however initially I could work with a smaller set of fields. I presume that I could use the "INCATOT" -> "MIDFAIL" text as the log index, but I really could use some assistance here.

Thanks in advance.

AMSTNLA201A CM           OMPR201 SEP08 15:16:04 3202 INFO OM REPORT 
    CLASS:   LCR_OM
    START:2014/09/08 15:00:00 MON; STOP: 2014/09/08 15:15:00 MON;
    SLOWSAMPLES:         9 ; FASTSAMPLES:         90 ;

    TRK
          KEY (COMMON_LANGUAGE_NAME)
          INFO (OM2TRKINFO)
             INCATOT   PRERTEAB     INFAIL    NATTMPT   NOVFLATB      GLARE    OUTFAIL    DEFLDCA       DREU       PREU
                 TRU        SBU        MBU   OUTMTCHF    CONNECT     TANDEM        AOF        ANF       TOTU     ANSWER
             ACCCONG   NOANSWER   INANSWER    OUTANSU     INANSU    MIDFAIL

         --------------------------------------------------------------------------------------------------------------
               31614         31         84      35822       1351          4         16          0          0          0
              116631          0        397          0      34402      34255          0          0     117028      26421
                   0          0          0          0          0          0
0 Karma
1 Solution

Path Finder

I just wanted to post what I have ended up using as the solution.

| rex field=_raw "-+[^\\d]+(?<INCATOT>[^ ]+)\\s+(?<PRERTEAB>[^ ]+)\\s+(?<INFAIL>[^ ]+)\\s+(?<NATTMPT>[^ ]+)\\s+(?<NOVFLATB>[^ ]+)\\s+(?<GLARE>[^ ]+)\\s+(?<OUTFAIL>[^ ]+)\\s+(?<DEFLDCA>[^ ]+)\\s+(?<DREU>[^ ]+)\\s+(?<PREU>[^ ]+)\\s+(?<TRU>[^ ]+)\\s+(?<SBU>[^ ]+)\\s+(?<MBU>[^ ]+)\\s+(?<OUTMTCHF>[^ ]+)\\s+(?<CONNECT>[^ ]+)\\s+(?<TANDEM>[^ ]+)\\s+(?<AOF>[^ ]+)\\s+(?<ANF>[^ ]+)\\s+(?<TOTU>[^ ]+)\\s+(?<ANSWER>[^ ]+)\\s+(?<ACCCONG>[^ ]+)\\s+(?<NOANSWER>[^ ]+)\\s+(?<INANSWER>[^ ]+)\\s+(?<OUTANSU>[^ ]+)\\s+(?<INANSU>[^ ]+)\\s+(?<MIDFAIL>[^ ]+)"

View solution in original post

Path Finder

I just wanted to post what I have ended up using as the solution.

| rex field=_raw "-+[^\\d]+(?<INCATOT>[^ ]+)\\s+(?<PRERTEAB>[^ ]+)\\s+(?<INFAIL>[^ ]+)\\s+(?<NATTMPT>[^ ]+)\\s+(?<NOVFLATB>[^ ]+)\\s+(?<GLARE>[^ ]+)\\s+(?<OUTFAIL>[^ ]+)\\s+(?<DEFLDCA>[^ ]+)\\s+(?<DREU>[^ ]+)\\s+(?<PREU>[^ ]+)\\s+(?<TRU>[^ ]+)\\s+(?<SBU>[^ ]+)\\s+(?<MBU>[^ ]+)\\s+(?<OUTMTCHF>[^ ]+)\\s+(?<CONNECT>[^ ]+)\\s+(?<TANDEM>[^ ]+)\\s+(?<AOF>[^ ]+)\\s+(?<ANF>[^ ]+)\\s+(?<TOTU>[^ ]+)\\s+(?<ANSWER>[^ ]+)\\s+(?<ACCCONG>[^ ]+)\\s+(?<NOANSWER>[^ ]+)\\s+(?<INANSWER>[^ ]+)\\s+(?<OUTANSU>[^ ]+)\\s+(?<INANSU>[^ ]+)\\s+(?<MIDFAIL>[^ ]+)"

View solution in original post

Path Finder

This will do the trick:

 [\n\r].*--\s*(?<INCATOT>[0-9]*)\s*(?<PRERTEAB>[0-9]*)\s*(?<INFAIL>[0-9]*)\s*(?<NATTMPT>[0-9]*)\s*(?<NOVFLATB>[0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)\s*([0-9]*)
0 Karma

Path Finder

The field names (INCATOT to MIDFAIL) are fixed.

0 Karma

Builder

you can do like this.
1)if your events are having fixed INCATOT to MIDFAIL then break your event starting from INCATOT
2)if your events are not having then break events starting from digit newline then word

Then you can extract fields by using regex.

0 Karma

Is the sequence of your field names (INCATOT to MIDFAIL) fixed? Or can it change from event to event?

0 Karma