Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Tried DELIMS, REPORT but cannot get neither working

Esky73
Builder
‎02-08-2017 05:37 AM

sample data :

Number: 152119522
Date : 12/01/2015 12:00:00 AM, Execution Time: 1945
Area Code: 21
Area Name: reading
Road: 7789
Code: 230
Description: Backup Failed

I have successfully - managed to extract required fields individually but trying to do it another way using the colon as a delimiter but i cannot get it working - config files :

props.conf

[sourcetype]
TRANSFORMS-colons = colons
transforms.conf
 [colons]
 REGEX = (?<_KEY_1>\w+):\s+(?<_VAL_1>\S+)

where am i going wrong - cheers.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gvmorley
Contributor
‎02-09-2017 10:26 PM

Hi there,

This should be possible. I have a go with your data using this in props.conf:

[test-ext]
TRUNCATE = 0
SHOULD_LINEMERGE = false
LINE_BREAKER = (NULL)
DATETIME_CONFIG = CURRENT
MAX_EVENTS = 100000
REPORT-test-ext = sourcetype-test-ext

You'd need to change the TRUNCATE, MAX_EVENTS and LINE_BREAKER to whatever works best for you. This was just for a quick test.

Also, if you want to use the Date from your data as the Index time, then take a look at the TIME_PREFIX and TIME_FORMAT options.

Then in transforms.conf:

[sourcetype-test-ext]
REGEX = ([^:]+):\s([^\r\n,]+)
FORMAT = $1::$2

Which gives me this in Splunk:

alt text

Hopefully that gets you closer to what you're looking for.

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

gvmorley
Contributor
‎02-09-2017 10:26 PM

Hi there,

This should be possible. I have a go with your data using this in props.conf:

[test-ext]
TRUNCATE = 0
SHOULD_LINEMERGE = false
LINE_BREAKER = (NULL)
DATETIME_CONFIG = CURRENT
MAX_EVENTS = 100000
REPORT-test-ext = sourcetype-test-ext

You'd need to change the TRUNCATE, MAX_EVENTS and LINE_BREAKER to whatever works best for you. This was just for a quick test.

Also, if you want to use the Date from your data as the Index time, then take a look at the TIME_PREFIX and TIME_FORMAT options.

Then in transforms.conf:

[sourcetype-test-ext]
REGEX = ([^:]+):\s([^\r\n,]+)
FORMAT = $1::$2

Which gives me this in Splunk:

alt text

Hopefully that gets you closer to what you're looking for.

Preview file
1 KB
Reply
Solved! Jump to solution

Esky73
Builder
‎03-07-2017 09:06 PM

thanks for your help

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...