Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to parse CEF files with key value pairs that contain white space?

brent_weaver
Builder
‎09-08-2015 10:44 AM

Hello all!

I am a Splunk "newb" when it comes to parsing out files for ingestion. Here is my situation. I have a CEF formatted file, which onto itself is not a problem. Splunk handles that just fine... What is a problem is at the end of lines there are key/value pairs, but the values have white spaces in it and splunk (or better yet I) cannot figure out hot to parse that out. Here is an example:

CEF|ProdManuf|ProdName|Vervion|Timestamp| key1=this is key1 key2=this is key two  key3=another random length string

So my question is how to I deal with the tail end of this string to get these as full key value pairs. I would assume a regular expression that will capture the pairs.

Thanks!

0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎09-08-2015 12:46 PM

Hey Brent,
Check out my answer here.

You may need to adjust some of the regular expressions, but generally it works pretty well. You may also need to add additional extractions for some edge cases.

Thanks,

Dave

Reply

brent_weaver
Builder
‎09-09-2015 06:43 AM

This data will be coming in tailing a file. But as I stated in my post I am currently uploading the file via the web interface for testing.

0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎09-09-2015 06:55 AM

You may want to look into using the oneshot command, something like:
splunk add oneshot "/path/to/host1/file" -index myidx -sourcetype mytype

0 Karma
Reply

brent_weaver
Builder
‎09-09-2015 06:15 AM

Dave -

Thank you for taking the time to ans this post. I am new to splunk and cannot figure out how to make this become a sourcetype. For testig purposes I am just taking my CEF file and uploading it through the we portal. I have a TA for imperva that does most of the job except the multi-word key value pairs.

So how do I take the article you referenced and make it a sourcetype that I can apply when reading in the file? Perhaps I am missing an app.conf file?

0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎09-09-2015 06:31 AM

The best place to set the source type is usually on the input. Is this data coming in via syslog? Or is this coming in by tailing a file?

0 Karma
Reply
Get Updates on the Splunk Community!

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...