Re: simple field extraction not working - Page 2

pjmenon · ‎06-29-2010

I've been breaking my head over this very simple field extraction.

My extraction (see eg., below) has problems because my time format has "-" and so do my other fields. I cannot specify the position of timestamp since I have 2-3 timestamps in an event. what is the best way to extract these fields?

props.conf

[source::C:\Documents and Settings\Sample]
TIME_FORMAT= %Y-%M-%D  %H:%M:%S
CHECK_FOR_HEADER = false 
REPORT-test = test

transforms.conf:

[test] 
DELIMS = ","
FIELDS = "severity", "alm_no", "site_id", "alm_type","rsv1", "start_time", "end_time","duration", "rsv2"

Sample in input file:

MINOR,56789,/aaa-bbb-bbb/tv-daop/Rkhkjkj #2/Shelf #2/jjj #1, FAIL, , 2010-06-24 21:57:46,2010-06-24 21:59:23,0 00:01:37,N/A

Splunk search result

Severity=MINOR |  alm_no=56789  |  site_id=/aaa/ |  start_time=-bbb-bbb/tv-d  |  end_time=o  |  duration=/Rkhkjkj #2/Shelf #2/jjj #1 |  rsv2_par=FAIL

pjmenon · ‎06-29-2010

Notice dashes in my field #3? "aaa-bbb-bbb" . these interfear with my formatting TIME-FORMAT. Doesn't matter if the date is in upper or lower case. Doesn't matter if you specifiy the position or not. Even afetr I did changes that you mentioned above, the same problem exists. If I just remove the dashes in field #3, things work fine even with my original conf file. One more thing to note is that I need to extract 2-3 valid timestamps in an event.

simple field extraction not working

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...