Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem with hyphen delimited sourcetype and spaces

jstockamp
Communicator
‎01-06-2014 03:42 PM

I've got some logs that are in a format like this

2013-12-29 08:23:21,151 - INFO - 1.1.1.1 - None - None - SERVER1 - User keynote@test.com logged in... - Mozilla/4.0 (compatible; MSIE 8.0; Webmetrics; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

as you can see the field delimiter here is " - " (including the spaces). When I setup my custom sourcetype and field extractions using

DELIMS=" - "

it seems to be ignoring the spaces and breaking the fields at the first "-" rather than " - ". I'm getting "2013" as my first field rather than "2013-12-29 08:23:21,151"

I've tried using DELIMS="\s-\s" and that doesn't seem to work either.

Anyone have any ideas?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-07-2014 05:48 PM

DELIMS is not a regular expression, it is a list of breaking characters. The hyphen was a poor choice by the author of your log file, as it is not just a breaking character but a valid character for part of a field. Splunk doesn't do well with "sometimes it means this and sometimes it means that" -- but you can always use regular expressions.

This will probably work:

[extractYourFields]
REGEX =,.*?\s-\s(?:(.*?)\s-\s)*(.*?)
FORMAT = first::$1 second::$2 third::$3

where first, second, and third are the names of the fields.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-07-2014 05:48 PM

DELIMS is not a regular expression, it is a list of breaking characters. The hyphen was a poor choice by the author of your log file, as it is not just a breaking character but a valid character for part of a field. Splunk doesn't do well with "sometimes it means this and sometimes it means that" -- but you can always use regular expressions.

This will probably work:

[extractYourFields]
REGEX =,.*?\s-\s(?:(.*?)\s-\s)*(.*?)
FORMAT = first::$1 second::$2 third::$3

where first, second, and third are the names of the fields.

0 Karma
Reply
Solved! Jump to solution

jstockamp
Communicator
‎01-09-2014 09:17 AM

Thanks, I was able to get a regex extract for my sourcetype to work. Not the optimal solution, but it will work. I completely agree the hyphen was a poor choice.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎01-06-2014 03:51 PM

Will it work if you do this

DELIMS="\ -\ "

Quoting the spaces might make Splunk see them...

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎01-07-2014 05:35 PM

I was afraid that this wouldn't work. Oh well, see next answer.

0 Karma
Reply
Solved! Jump to solution

jstockamp
Communicator
‎01-06-2014 03:59 PM

Nope, same behavior, delimits on the first "-" and not " - "

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...