Using:
index=default sourcetype=my:sourcetype
| extract pairdelim="][", kvdelim="=", auto=f
Feb 19 09:44:02 foobar Feb 19 2019 09:44:02.322 UTC : [My Port=2000][Device name=MyDevice][Device IP address=10.3.36.10][Device type=11]
Splunk extracts fields named:
My_Port, Device_name, Device_IP_Address, Device_type
Is there a props extract that will do the same as an automatic extraction, when there will be many unique kv pairs in events with this sourcetype?
↧