- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit the regex in transforms.conf to delete...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Folks,
I'm struggling to parse this part of a .txt file using regex within transforms.conf:
[07-21-2017 22:00:32.845] [Installation] [Outlook Network Check] [Info] :: Start of Check Outlook Network script
[07-21-2017 22:00:32.845] [Installation] [Outlook Network Check] [Info] :: Outlook activation version: 0.0.1
[07-21-2017 22:00:32.861] [Installation] [Outlook Network Check] [Info] :: Logged on User Name: test\test.user
[07-21-2017 22:00:32.861] [Installation] [Outlook Network Check] [Info] :: Log Name: C:\Users\test.user\AppData\Local\Temp\aaa55454-21-2017 10-00-28 PM.txt
Computer Name : aaa55454
Description : Intel(R) Dual Band Wireless-AC 7260
IPEnabled : True
IPAddress : {192.168.1.106, fe80::d5rf:2321:c979:beba}
IPSubnet : {255.255.255.0, 64}
DefaultIPGateway : {192.168.1.1}
DHCPEnabled : True
DHCPServer : 192.168.1.1
DNSDomain : dlinkrouter
DNSDomainSuffixSearchOrder : {test1.com, test2.ca.com, test3.eu.ca.com,
ptest.ca.com...}
DNSServerSearchOrder : {192.168.1.1}
[07-21-2017 22:00:33.703] [Installation] [Outlook Network Check] [Info] :: -----------------------------------------------------------------------------------------
[07-21-2017 22:00:33.703] [Installation] [Outlook Network Check] [Info] :: Computer: aaa55454 is connected via CA.
[07-21-2017 22:00:33.703] [Installation] [Outlook Network Check] [Info] :: -----------------------------------------------------------------------------------------
[07-21-2017 22:00:33.719] [Installation] [Outlook Network Check] [Info] :: Start Checking Server Connection...
[07-21-2017 22:00:33.719] [Installation] [Outlook Network Check] [Info] :: Checking test.outlook.com, 443...
I'm lost right now.. Could you help me on how to achieve this?
Kind regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi larmesto,
if your log structure is fixed, you could try inserting in your props.conf something like this:
SEDCMD-shorten_events1 = s/.*Computer Name\s:\s/Computer Name\s:\s/g
SEDCMD-shorten_events2 = s/DNSServerSearchOrder\s:\s\{\d+\.\d+\.\d+\.\d+\}.*/DNSServerSearchOrder\s:\s\{\d+\.\d+\.\d+\.\d+\}/g
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi larmesto,
if your log structure is fixed, you could try inserting in your props.conf something like this:
SEDCMD-shorten_events1 = s/.*Computer Name\s:\s/Computer Name\s:\s/g
SEDCMD-shorten_events2 = s/DNSServerSearchOrder\s:\s\{\d+\.\d+\.\d+\.\d+\}.*/DNSServerSearchOrder\s:\s\{\d+\.\d+\.\d+\.\d+\}/g
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you want the event to look like in Splunk? Does this log actually include the text of the file? Do you want to index any part of that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes. I want to index the values within the BOLD variables.
Is there a way I could transform the whole event as:
TIME_STAMP SUBJECT ACTION TYPE DESCRIPTION STATUS AD_SITE USER_NAME COMPUTER_NAME IP_ADDRESS IP_SUBNET DefaultIPGateway
Thank you.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
