New to Splunk so any help is appreciated.
I am uploading mytest.log and trying to use SEDCMD to unravel a few fields.
Here is what the mytest.log looks like:
Jun 30 11:33:31 dummy.site0001.com CEF:0|A|B|C|cs1Label=foo cs1=test cs2Label=bar cs2=abc field4=123
Jun 30 11:35:31 dummy.site0001.com CEF:0|A|B|C|cs1Label=foo cs1=test2 cs2Label=bar cs2=def field4=123
Jun 30 11:36:31 dummy.site0001.com CEF:0|A|B|C|cs1Label=foo cs1=test2 cs2Label=bar cs2=abc field4=123
Jun 30 11:37:31 dummy.site0001.com CEF:0|A|B|C|cs1Label=foo cs1=test4 cs2Label=bar cs2=def field4=123
I have updated /opt/splunk/etc/system/local/props.conf like this:
[source::.../mytest.log]
SEDCMD-syslog1 = s/(.*)cs1Label=([a-zA-Z0-9]*) cs1=([a-zA-Z0-9]*)(.*)/\1 \2=\3 \4/
SEDCMD-syslog2 = s/(.*)cs2Label=([a-zA-Z0-9]*) cs2=([a-zA-Z0-9]*)(.*)/\1 \2=\3 \4/
SEDCMD-syslog3 = s/(.*)cs3Label=([a-zA-Z0-9]*) cs3=([a-zA-Z0-9]*)(.*)/\1 \2=\3 \4/
SEDCMD-syslog4 = s/(.*)cs4Label=([a-zA-Z0-9]*) cs4=([a-zA-Z0-9]*)(.*)/\1 \2=\3 \4/
SEDCMD-syslog5 = s/(.*)cs5Label=([a-zA-Z0-9]*) cs5=([a-zA-Z0-9]*)(.*)/\1 \2=\3 \4/
The preview looks good:
foo=test bar=abc
After uploading it looks like:
cs1Label=foo cs1=test cs2Label=bar cs2=abc
Any ideas?
... View more