Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk field seperators
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I love Splunk's ability to dynamically pull fields at runtime with name=value pairs.
I have several log formats which have a "key name: value" format or similar. The exact settings are:
There may potentially be spaces in both the key name and value
There are always two spaces between the colon and the value
The value may be blank
Each set of values is separated by three or four spaces
Subject: Security ID: S-1-5-18 Account Name: ACCOUNT$ Account Domain: DOMAIN Logon ID: 0x3e7 Process Information: New Process ID: 0x1bdc Another Field: Test Results negative
The regex I'm trying to use for my extraction is
\s\s\s([^\s]+):\s\s(.*)\s\s\s
Where am I going wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use a regex that extracts the key and the value in transforms.conf.
[with_colon]
REGEX = \t([^\s:]+):\s(\S+)\t
FORMAT = $1::$2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suppose the problem if the key or value may contain spaces is, how do you tell when one end and other begins, e.g., if you see:
one two: three four five: six seven eight nine: ten eleven: twelve
What would be the field names and what would be the values? Apparently one two is a field, but is its value three or three four? And so on.
If you can define that, then a regex can be created, but the idea is kind of what is in Ayn's answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There should be a tab character between each set of fields so appending and prepending to the regex from Ayn should do the trick. I'll try it out and see how it goes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use a regex that extracts the key and the value in transforms.conf.
[with_colon]
REGEX = \t([^\s:]+):\s(\S+)\t
FORMAT = $1::$2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn, many thanks. I've done some additional research on the message format and updated the question accordingly. Could you take a look at what I need in the way of a regex?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
True, I missed that in the question! Editing to reflect on that, and the info that tabs are at the start and end of each k/v pair.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well, the field name may include spaces.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
