Splunk Search

How to edit the regex in transforms.conf to delete multiline portion of .txt file?

larmesto
Path Finder

Hello Folks,

I'm struggling to parse this part of a .txt file using regex within transforms.conf:

[07-21-2017 22:00:32.845] [Installation] [Outlook Network Check] [Info] :: Start of Check Outlook Network script
[07-21-2017 22:00:32.845] [Installation] [Outlook Network Check] [Info] :: Outlook activation version: 0.0.1
[07-21-2017 22:00:32.861] [Installation] [Outlook Network Check] [Info] :: Logged on User Name: test\test.user
[07-21-2017 22:00:32.861] [Installation] [Outlook Network Check] [Info] :: Log Name: C:\Users\test.user\AppData\Local\Temp\aaa55454-21-2017 10-00-28 PM.txt

Computer Name : aaa55454
Description : Intel(R) Dual Band Wireless-AC 7260
IPEnabled : True
IPAddress : {192.168.1.106, fe80::d5rf:2321:c979:beba}
IPSubnet : {255.255.255.0, 64}
DefaultIPGateway : {192.168.1.1}
DHCPEnabled : True
DHCPServer : 192.168.1.1
DNSDomain : dlinkrouter
DNSDomainSuffixSearchOrder : {test1.com, test2.ca.com, test3.eu.ca.com,
ptest.ca.com...}
DNSServerSearchOrder : {192.168.1.1}

[07-21-2017 22:00:33.703] [Installation] [Outlook Network Check] [Info] :: -----------------------------------------------------------------------------------------
[07-21-2017 22:00:33.703] [Installation] [Outlook Network Check] [Info] :: Computer: aaa55454 is connected via CA.
[07-21-2017 22:00:33.703] [Installation] [Outlook Network Check] [Info] :: -----------------------------------------------------------------------------------------
[07-21-2017 22:00:33.719] [Installation] [Outlook Network Check] [Info] :: Start Checking Server Connection...
[07-21-2017 22:00:33.719] [Installation] [Outlook Network Check] [Info] :: Checking test.outlook.com, 443...

I'm lost right now.. Could you help me on how to achieve this?
Kind regards.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi larmesto,
if your log structure is fixed, you could try inserting in your props.conf something like this:

SEDCMD-shorten_events1 = s/.*Computer Name\s:\s/Computer Name\s:\s/g
SEDCMD-shorten_events2 = s/DNSServerSearchOrder\s:\s\{\d+\.\d+\.\d+\.\d+\}.*/DNSServerSearchOrder\s:\s\{\d+\.\d+\.\d+\.\d+\}/g

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi larmesto,
if your log structure is fixed, you could try inserting in your props.conf something like this:

SEDCMD-shorten_events1 = s/.*Computer Name\s:\s/Computer Name\s:\s/g
SEDCMD-shorten_events2 = s/DNSServerSearchOrder\s:\s\{\d+\.\d+\.\d+\.\d+\}.*/DNSServerSearchOrder\s:\s\{\d+\.\d+\.\d+\.\d+\}/g

Bye.
Giuseppe

0 Karma

lguinn2
Legend

What do you want the event to look like in Splunk? Does this log actually include the text of the file? Do you want to index any part of that?

0 Karma

larmesto
Path Finder

Hi,

Yes. I want to index the values within the BOLD variables.
Is there a way I could transform the whole event as:

TIME_STAMP SUBJECT ACTION TYPE DESCRIPTION STATUS AD_SITE USER_NAME COMPUTER_NAME IP_ADDRESS IP_SUBNET DefaultIPGateway

Thank you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...