Simple event parsing question

ehs · ‎01-11-2012

My log file has tabular (several columns) data that I need to parse. Each element in a row is separated by spaces, and the columns line up:

Event 1:   01-11 22:22    Some_Data    2   ABC
Event 2:   01-11 20:22    Other_Data   0   XYZABC

How can I "tag" each column so that I can search and filter by it. For instance, if I'd like to call the second column TITLE, I then would like to be able to filter for all events where the TITLE="Some_Data"..which should then return Event 1.

Damien_Dallimor · ‎01-11-2012

Assuming that the data is indexed without the "Event 1:" etc.. prefix :

01-11 22:22    Some_Data    2   ABC
01-11 20:22    Other_Data   0   XYZABC

Then in props.conf you could define a search time extraction like :

[my_sourcetype]
EXTRACT-extract_my_fields = (?<datetime>\d{2}-\d{2}\s\d{2}:\d{2})\s+(?<title>\w+)\s+(?<col3>\w+)\s+(?<col4>\w+)

Note : I've made a few assumptions about the pattern of the column values, hence it's a rather generic regex, but you can tweak it as needed. Also, I didn't know what to name col3 and col4, so put your own keys in.

Simple event parsing question

Maximizing the Value of Splunk ES 8.x

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Introducing .conf Stories Series!

Are you a member of the Splunk Community?

Simple event parsing question

Maximizing the Value of Splunk ES 8.x

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Introducing .conf Stories Series!