Hello,
given the events i have to import in Splunk, i would like to extract the fields.
My problem occurs with the FUNCTION entry which can be there once, twice or not at all.
event1:
SERVER myserver1
HOST localhost
ERROR_CODE
event2:
SERVER myserver2
FUNCTION f1
FUNCTION f2
FUNCTION f3
HOST localhost
event3:
SERVER myserver3
FUNCTION f1
HOST localhost
event4:
SERVER myserver4
FUNCTION f1
FUNCTION f2
HOST localhost
ERROR_CODE
Expected result after transformation should be
event1:
server="myserver1";function="";host="localhost";error_code=""
event2:
server="myserver2";function="f1,f2,f3";host="localhost";error_code=""
event3:
server="myserver3";function="f1";host="localhost";error_code=""
event4:
server="myserver4";function="f1,f2";host="localhost";error_code=""
My last attempt was this:
(?sm)SERVER\s(?<server>[A-Za-z0-9]+)(.*?)(FUNCTION\s*(?<function>[A-Za-z0-9]*))+(.*?)HOST\s*(?<host>[A-Za-z0-9]+)(.*?)ERROR_CODE\s*(?<error_code>[A-Z0-9]*)
but i always get only first occurrence of FUNCTION and not all of them.
Best regards
Tomasz
What about this by using max_match=0 (alternatively use MV_ADD=true in transforms.conf):
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"
Example 1:
| stats count | fields - count
| eval _raw = "
SERVER myserver2
FUNCTION f1
FUNCTION f2
FUNCTION f3
HOST localhost
"
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"
Output 1:
Example 2:
| stats count | fields - count
| eval _raw = "
SERVER myserver2
FUNCTION f1
HOST localhost
"
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"
Output 2:
Example 3:
| stats count | fields - count
| eval _raw = "
SERVER myserver2
HOST localhost
"
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"
Output 3 (sorry but can't attach any more pictures, although it works fine too)
What about this by using max_match=0 (alternatively use MV_ADD=true in transforms.conf):
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"
Example 1:
| stats count | fields - count
| eval _raw = "
SERVER myserver2
FUNCTION f1
FUNCTION f2
FUNCTION f3
HOST localhost
"
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"
Output 1:
Example 2:
| stats count | fields - count
| eval _raw = "
SERVER myserver2
FUNCTION f1
HOST localhost
"
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"
Output 2:
Example 3:
| stats count | fields - count
| eval _raw = "
SERVER myserver2
HOST localhost
"
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"
Output 3 (sorry but can't attach any more pictures, although it works fine too)