I am capturing some machine data and am wondering if it is possible to grab more or fewer fields via field extraction based on a size field in the data itself?
1480823739.999999 bus device  aa bb ff 00 33 33 1480823741.999999 bus device  ab f0
with the  and  in the data being the size values respectively.
My present field extraction regex looks like this:
This gets me extracted up to the message bytes. While I can just import the data values as a single field, I would like to be able to pull each two hex characters into separate fields based on this size data.
Expanding on my regex, if I add multiple byte extractions to cover all instances, the smaller messages will not be extracted.
This results in the 6 byte messages being trapped and none of the smaller messages will.
Can I have Splunk create multiple >byte1<,>byte2<,>byteN<... extractions based on the >data_len< field?
What you could do is, create a multi-value field. In your props.conf add the following
EXTRACT-msg_bytes = \]\s(?<msg_bytes>.*)
This will extract all the message bytes into a mv field called msg_bytes. You can then use this in your search query to get to individual bits using
base search that returns in msg_bytes amongst others | makemv msg_bytes delim=" " | eval msg_length=mvcount(msg_bytes) mvexpand msg_bytes | you should now have msg_bytes extract into individual events.
OR if you just want a specific one
base search that returns in msg_bytes amongst others | eval msg_bit=mvindex(split(msg_bytes, " "), 0) | this will give you the first bit etc.