Hi All.
I want to extract fields from the following log data.
headerName=Host, Connection, Accept, headerValue=splunk.com, keep-alive, text/html
I want to extract fields like this.
Host=splunk.com
Connection=keep-alive
Accept=text/html
So I set following in props and transforms
props.conf
[MY_SYSLOG]
REPORT-a = SAMPLE_1,SAMPLE_2,SAMPLE_3
transforms.conf
[SAMPLE_1]
CLEAN_KEYS = 0
FORMAT = $1::$4
REGEX = headerName=(\w+),\s(\w+),\s(\w+),\sheaderValue=(.*?),\s(.*?),\s(.*)
[SAMPLE_2]
CLEAN_KEYS = 0
FORMAT = $2::$5
REGEX = headerName=(\w+),\s(\w+),\s(\w+),\sheaderValue=(.*?),\s(.*?),\s(.*)
[SAMPLE_3]
CLEAN_KEYS = 0
FORMAT = $3::$6
REGEX = headerName=(\w+),\s(\w+),\s(\w+),\sheaderValue=(.*?),\s(.*?),\s(.*)
This setting extracted fields for part log message, but didn't extract fields for the following log message.
headerName=Host, Connection, Accept, Referer, headerValue=splunk.com, keep-alive, text/html, http://google.com
Is there good solution?
Thank you for your help.
↧