Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem with hyphen delimited sourcetype and spaces

jstockamp
Communicator
‎01-06-2014 03:42 PM

I've got some logs that are in a format like this

2013-12-29 08:23:21,151 - INFO - 1.1.1.1 - None - None - SERVER1 - User keynote@test.com logged in... - Mozilla/4.0 (compatible; MSIE 8.0; Webmetrics; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

as you can see the field delimiter here is " - " (including the spaces). When I setup my custom sourcetype and field extractions using

DELIMS=" - "

it seems to be ignoring the spaces and breaking the fields at the first "-" rather than " - ". I'm getting "2013" as my first field rather than "2013-12-29 08:23:21,151"

I've tried using DELIMS="\s-\s" and that doesn't seem to work either.

Anyone have any ideas?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-07-2014 05:48 PM

DELIMS is not a regular expression, it is a list of breaking characters. The hyphen was a poor choice by the author of your log file, as it is not just a breaking character but a valid character for part of a field. Splunk doesn't do well with "sometimes it means this and sometimes it means that" -- but you can always use regular expressions.

This will probably work:

[extractYourFields]
REGEX =,.*?\s-\s(?:(.*?)\s-\s)*(.*?)
FORMAT = first::$1 second::$2 third::$3

where first, second, and third are the names of the fields.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-07-2014 05:48 PM

DELIMS is not a regular expression, it is a list of breaking characters. The hyphen was a poor choice by the author of your log file, as it is not just a breaking character but a valid character for part of a field. Splunk doesn't do well with "sometimes it means this and sometimes it means that" -- but you can always use regular expressions.

This will probably work:

[extractYourFields]
REGEX =,.*?\s-\s(?:(.*?)\s-\s)*(.*?)
FORMAT = first::$1 second::$2 third::$3

where first, second, and third are the names of the fields.

0 Karma
Reply
Solved! Jump to solution

jstockamp
Communicator
‎01-09-2014 09:17 AM

Thanks, I was able to get a regex extract for my sourcetype to work. Not the optimal solution, but it will work. I completely agree the hyphen was a poor choice.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎01-06-2014 03:51 PM

Will it work if you do this

DELIMS="\ -\ "

Quoting the spaces might make Splunk see them...

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎01-07-2014 05:35 PM

I was afraid that this wouldn't work. Oh well, see next answer.

0 Karma
Reply
Solved! Jump to solution

jstockamp
Communicator
‎01-06-2014 03:59 PM

Nope, same behavior, delimits on the first "-" and not " - "

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...