Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the fields for kv pair syslog data?

knalla
Path Finder
‎08-27-2018 08:13 AM

Hi All,

How to extract the fields for the syslog data with kv values at indexing time?

Aug 27 10:05:58 ciscoasa SFIMS: Protocol: TCP, SrcIP: 1.2.3.1, OriginalClientIP: ::, DstIP: 11.22.33.44, SrcPort: 50981, DstPort: 443, TCPFlags: 0x0, IngressZone: N_inside, EgressZone: N_outside, DE: Primary Detection Engine (ccc24074-6d7e-11e7-9213-b429232f86cc), Policy:allowed_new, ConnectType: Start, AccessControlRuleName: Allow port 80 443, AccessControlRuleAction: Allow, Prefilter Policy: WE_Prefilter, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Windows, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 436, ResponderBytes: 66, Policy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Business and Economy, URLReputation: Well known, URL: splunk.com

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

horsefez
Motivator
‎08-27-2018 08:25 AM

Hi @knalla,

this regular expression should work

^(?:[^\s]+\s*:){5}|([^:]+):\s*([^,]+)[,$]*
https://regex101.com/r/0lWcR3/1

props.conf

[yoursourcetype]
TRANSFORMS-yourfirstextraction = extractexample



transforms.conf

[extractexample]
REGEX=^(?:[^\s]+\s*:){5}|([^:]+):\s*([^,]+)[,$]*
FORMAT = $1::$2
MV_ADD = true

View solution in original post

Reply
Solved! Jump to solution
Solution

horsefez
Motivator
‎08-27-2018 08:25 AM

Hi @knalla,

this regular expression should work

^(?:[^\s]+\s*:){5}|([^:]+):\s*([^,]+)[,$]*
https://regex101.com/r/0lWcR3/1

props.conf

[yoursourcetype]
TRANSFORMS-yourfirstextraction = extractexample



transforms.conf

[extractexample]
REGEX=^(?:[^\s]+\s*:){5}|([^:]+):\s*([^,]+)[,$]*
FORMAT = $1::$2
MV_ADD = true
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...