Solved: How to extract these fields?

HeinzWaescher · ‎01-29-2020

Hi,

let's say we have events with _raw data like this:

<XY>aaa,bbbb,priority,high<XY>aaa,bbb,login,failed<XY>aaa,bbb,user,johndoe<XZ>

The events can include a random amount of this pattern.
Is it possible to create an automatic field extraction to get:

priority = high
login = failed
user = johndoe

So position 3 of the pattern should set the fieldname while position 4 sets the value.

Thankd in advance

nickhills · ‎01-29-2020

Hi @HeinzWaescher

You can use props & transforms to do this:

transforms.conf
[fields-values]
FORMAT = $1::$2
REGEX = >\w+\,\w+\,(\w+)\,(\w+)

props.conf
[yourSourcetype]
REPORT-fields-values = fields-values

Let me know how you get on.

If my comment helps, please give it a thumbs up!

nickhills · ‎01-29-2020

Hi @HeinzWaescher

You can use props & transforms to do this:

transforms.conf
[fields-values]
FORMAT = $1::$2
REGEX = >\w+\,\w+\,(\w+)\,(\w+)

props.conf
[yourSourcetype]
REPORT-fields-values = fields-values

Let me know how you get on.

If my comment helps, please give it a thumbs up!

HeinzWaescher · ‎01-29-2020

Awesome! Thanks works fine, thanks a lot

nickhills · ‎01-29-2020

you are welcome! 🙂

If my comment helps, please give it a thumbs up!

How to extract these fields?