Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

best field extraction regex for custom log format

dominiquevocat
SplunkTrust
SplunkTrust
‎09-14-2011 05:40 AM

Hi,

i have a written DirXML driver that audits specific attributes that change and write syslog using log4j. The format i emply is always {attribute:nameOfAttribute} {qualified-src-dn:valueofqualifiedSrcDn} etc. So I am trying to generate a regex to take
any occurance of {x:y} and treat x as fieldname and y as value in field of name x.

I had no luck using the interactive log extractor. Also complicating things is that the DN has plenty of "dangerous" characters for a regex.

Any help is aprechiated. Oh the format i employ is inspired by XDAS. I can modify the format if it makes i easier but i figured using {} would make it easier.

Tags (1)
0 Karma
Reply

stephanbuys
Path Finder
‎09-14-2011 06:11 AM

Try: {([^:].+?):([^}].+?)}

$1 will be your key and $2 will be your value.

0 Karma
Reply

dominiquevocat
SplunkTrust
SplunkTrust
‎04-18-2012 07:31 AM

The regex works on my sample data see http://regexr.com?30mep however i get no fields in splunk when i use it as a inline regex. Is there a way in splunk 4.3 and up to do it inline?

0 Karma
Reply

dominiquevocat
SplunkTrust
SplunkTrust
‎09-14-2011 08:35 AM

ok, the second one seems to work nice enough. Thanks

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-14-2011 07:47 AM

Don't do this in the interactive field extractor. You'll have to do it in manager or the config file. I don't the IFE can handle dynamic field names. The regex {(?<_KEY_1>[^:]*):(?<_VAL_1>[^}]*)} should also work.

0 Karma
Reply

dominiquevocat
SplunkTrust
SplunkTrust
‎09-14-2011 06:34 AM

also i might add i strive to have the value of $1 as the fieldname in splunk named as such and not as group named "1". Does that make sense?

0 Karma
Reply

dominiquevocat
SplunkTrust
SplunkTrust
‎09-14-2011 06:30 AM

Looks nice... i get
Invalid regex: no named extraction at position 0 (i.e., "{([^:].+?)..."). Expected "(?Ppattern)"

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...