Solved: Problem extracting fields from auto extracted fiel...

ktn01 · ‎08-20-2019

Hello,

I have events in the following format:

20/08/19 16:34:17 login1 command RunAsUsers="web,tomcat,embed"

with the following configs

props.conf:

[mysourcetype]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %d/%m/%y %H:%M:%S
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
KV_MODE = auto_escaped
REPORT-mysourcetype = login,user

transforms.conf:

 [login]
 REGEX = ^[\d\s/:]+(?P<user>\w*)\s+(?P<type>\w*)

 [user]
 SOURCE_KEY = RunAsUsers
 REGEX = (?P<user>[^,]+)
 MV_ADD = true

Fields "user", "type" and "RunAsUsers" are well extracted but the multi KV "user" is not created.

An idea of what I'm doing wrong?

Thanks
Christian

ktn01 · ‎11-01-2019

Hello,

For information, Splunk support give me the following solution using the config file "fields.conf":

[RunAsUsers]
TOKENIZER = ([^,]+)

Regards
Christian

View solution in original post

ktn01 · ‎11-01-2019

Hello,

For information, Splunk support give me the following solution using the config file "fields.conf":

[RunAsUsers]
TOKENIZER = ([^,]+)

Regards
Christian

ktn01 · ‎08-20-2019

Sorry, regex on [login] is

^[\d\s/:]+(?P<login>\w*)\s+(?P<type>\w*)

The field login is well extracted but user is not

Problem extracting fields from auto extracted field

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!