I'm trying to extract these values into a field called Data.
from sample 1:
CMD(XYZ) Val(*12A)
In props.conf
[log]
REPORT-mydata = mydata
In transforms.conf
[mydata]
REGEX = (?i).*CMD\((?<Data>\S+)\)
but it can only capture the values XYZ after CMD.I wana include the entire string like CMD(XYZ) Val(*12A).
How do I specify in the regex to include the entire string?
sample 1:
Sep 29 13:13:25 10.138.20.37 Sep 29 13:07:25 serverA A command (CMD) was run.|3|src=1.2.3.4 dst=0.0.0.0 msg=TYPE:JRN CLS:AUD JJOB:123 JUSER:user JNBR:123 PGM:abc OBJECT: LIBRARY: MEMBER: DETAIL:C CMD SYS CMD N SYS/CMD LIB(ABCD) DEV(*SA) SAVF(temp) OPTION(*NA) MBROPT(*ALL) OBJ(*ALL) FR(*SYSVAL) **CMD(XYZ) Val(*12A)*
Sep 29 13:13:25 10.138.20.37 Sep 29 13:07:25 serverA A command (CMD) was run.|3|src=1.2.3.4 dst=0.0.0.0 msg=TYPE:JRN CLS:AUD JJOB:123 JUSER:user JNBR:123 PGM:abc OBJECT: LIBRARY: MEMBER: DETAIL:C CMD SYS CMD N SYS/CMD LIB(ABCD) DEV(*SA) SAVF(temp) OPTION(*NA) MBROPT(*ALL) OBJ(*ALL) JJJ(*NA) **CMD(XYZ) Val(*12A)*
you could use;
(\w+\([^)]+\))
to capture each one separately and then just assign them the same field extraction name so you can associate them with your events correctly.
I have made some assumptions however that there isn't another set of characters arranged like that in the events.
Feel free to comment if this is off the mark 🙂
Have a look at the following links for details on configuring these via the config files
http://docs.splunk.com/Documentation/Splunk/4.2.3/admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/4.2.3/admin/Propsconf
Transforms.conf
[data_regex]
REGEX = (\w+\([^)]+\))
FORMAT = data::$1
Props.conf
REPORT-data_regex = data_regex
The transforms lines say to name group 1 ($1) as data (or whatever you specify).
You could also do;
Transforms.conf
[data_regex]
REGEX = (?<data>\w+\([^)]+\))
EDIT:
Assuming you answer yes to my comment on your question then;
(CMD\([^)]+\) [^)]+\))
does it always end with the data you want to collect? as in they are always at the end of the event?
you could use;
(\w+\([^)]+\))
to capture each one separately and then just assign them the same field extraction name so you can associate them with your events correctly.
I have made some assumptions however that there isn't another set of characters arranged like that in the events.
Feel free to comment if this is off the mark 🙂
Have a look at the following links for details on configuring these via the config files
http://docs.splunk.com/Documentation/Splunk/4.2.3/admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/4.2.3/admin/Propsconf
Transforms.conf
[data_regex]
REGEX = (\w+\([^)]+\))
FORMAT = data::$1
Props.conf
REPORT-data_regex = data_regex
The transforms lines say to name group 1 ($1) as data (or whatever you specify).
You could also do;
Transforms.conf
[data_regex]
REGEX = (?<data>\w+\([^)]+\))
EDIT:
Assuming you answer yes to my comment on your question then;
(CMD\([^)]+\) [^)]+\))
no prob 🙂
it works..thanks 🙂
thanks!gona test it soon
way ahead of you, check out my comment on the question and my edit 🙂
thanks..I've also updated the example event hopefully its much clearer
your added examples have 3 characters followed by whitespace and then more characters. my example will look for characters followed directly by an open bracket.
Is there some defined example that this data always follows you could also use to regex on?
@remy06 you can use the same thing, I'll update my answer with two examples
there are set of characters in other parts of the event. I've updated the sample.Usually if I specify in transforms.conf the "" becomes the extracted field name. In your example how do I specify the field name?