I'm dealing with a highly customized access log that isn't being processed properly by access_combined sourcetype during indexing. Fields aren't being pulled out.
Is there a way to write a regex in search time extractions that will simply do something similar to a split(_raw," ")?
I CANNOT do something like because it's way too slow to rex out or split the entire data set (it's huge):
index=blah | rex field=_raw "(?<field1>.+)\s(?<field2>.+)\s | search field1=wowthiswasslow"
It needs to be streaming so that I can search like:
Yup, that’s a better way to parse delimited fields long term.
I honestly can’t imagine splitting by spaces is going to work for web logs, though. What about useragents?
| eval allfields=_raw | makemv allfields
This may not work will for your specific use case, but it will split into as many values as it needs.
delim defaults to , so I left it out of the command.
Hmm ok, I'm looking for it now, but how do I search for something like allfields=blah?
Found it: | eval field7=mvindex(allfields,7) | search field7=200
Still left wondering if this will be slow due to the extra | search