Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit the regex in transforms.conf to delete multiline portion of .txt file?

larmesto
Path Finder
‎07-24-2017 09:39 AM

Hello Folks,

I'm struggling to parse this part of a .txt file using regex within transforms.conf:

[07-21-2017 22:00:32.845] [Installation] [Outlook Network Check] [Info] :: Start of Check Outlook Network script
[07-21-2017 22:00:32.845] [Installation] [Outlook Network Check] [Info] :: Outlook activation version: 0.0.1
[07-21-2017 22:00:32.861] [Installation] [Outlook Network Check] [Info] :: Logged on User Name: test\test.user
[07-21-2017 22:00:32.861] [Installation] [Outlook Network Check] [Info] :: Log Name: C:\Users\test.user\AppData\Local\Temp\aaa55454-21-2017 10-00-28 PM.txt

Computer Name : aaa55454
Description : Intel(R) Dual Band Wireless-AC 7260
IPEnabled : True
IPAddress : {192.168.1.106, fe80::d5rf:2321:c979:beba}
IPSubnet : {255.255.255.0, 64}
DefaultIPGateway : {192.168.1.1}
DHCPEnabled : True
DHCPServer : 192.168.1.1
DNSDomain : dlinkrouter
DNSDomainSuffixSearchOrder : {test1.com, test2.ca.com, test3.eu.ca.com,
ptest.ca.com...}
DNSServerSearchOrder : {192.168.1.1}

[07-21-2017 22:00:33.703] [Installation] [Outlook Network Check] [Info] :: -----------------------------------------------------------------------------------------
[07-21-2017 22:00:33.703] [Installation] [Outlook Network Check] [Info] :: Computer: aaa55454 is connected via CA.
[07-21-2017 22:00:33.703] [Installation] [Outlook Network Check] [Info] :: -----------------------------------------------------------------------------------------
[07-21-2017 22:00:33.719] [Installation] [Outlook Network Check] [Info] :: Start Checking Server Connection...
[07-21-2017 22:00:33.719] [Installation] [Outlook Network Check] [Info] :: Checking test.outlook.com, 443...

I'm lost right now.. Could you help me on how to achieve this?
Kind regards.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-21-2017 07:34 AM

Hi larmesto,
if your log structure is fixed, you could try inserting in your props.conf something like this:

SEDCMD-shorten_events1 = s/.*Computer Name\s:\s/Computer Name\s:\s/g
SEDCMD-shorten_events2 = s/DNSServerSearchOrder\s:\s\{\d+\.\d+\.\d+\.\d+\}.*/DNSServerSearchOrder\s:\s\{\d+\.\d+\.\d+\.\d+\}/g

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-21-2017 07:34 AM

Hi larmesto,
if your log structure is fixed, you could try inserting in your props.conf something like this:

SEDCMD-shorten_events1 = s/.*Computer Name\s:\s/Computer Name\s:\s/g
SEDCMD-shorten_events2 = s/DNSServerSearchOrder\s:\s\{\d+\.\d+\.\d+\.\d+\}.*/DNSServerSearchOrder\s:\s\{\d+\.\d+\.\d+\.\d+\}/g

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎07-26-2017 10:36 PM

What do you want the event to look like in Splunk? Does this log actually include the text of the file? Do you want to index any part of that?

0 Karma
Reply
Solved! Jump to solution

larmesto
Path Finder
‎09-21-2017 07:24 AM

Hi,

Yes. I want to index the values within the BOLD variables.
Is there a way I could transform the whole event as:

TIME_STAMP SUBJECT ACTION TYPE DESCRIPTION STATUS AD_SITE USER_NAME COMPUTER_NAME IP_ADDRESS IP_SUBNET DefaultIPGateway

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...