Currently I'm doing an extraction on a log file like so:
[AUDIT_PARSE]
REGEX = \x5b[^\x5d]+\x5d\s+(\w+)\s+(?:\x7b([^\x7d]+)\x7d){0,1}\x2d\s+(.*)
FORMAT = level::$1 log_source::$2 message::$3
One of the extracted fields you see is 'message', which itself has a number of key value pairs. I then want to take the extracted 'message', and parse those pairs.
[AUDIT_MESSAGE_PARSE]
REGEX = \s*(\S+)\s*\x3a\s*((?:[^\x7c\x5d])+?)\s*(?:\x7c|$)
SOURCE_KEY = field:message
FORMAT = $1::$2
One of those key value extractions has another field I want parsed, so I do another one on that field:
[INITIATOR_PARSE]
SOURCE_KEY = field:Initiator
REGEX = ^(.*?)\x2f([^\x40]+)(?:\x40(.+)){0,1}$
FORMAT = SSO_Organization::$1 SSO_User::$2 SSO_Domain::$3
I put them all together with the following in props:
TRANSFORMS-audit = AUDIT_PARSE, AUDIT_MESSAGE_PARSE, INITIATOR_PARSE
Right now AUDIT_PARSE runs and works, but the remainder does not work. If i remove the SOURCE_KEY it 'runs', but it will run in _raw instead of the pre-extracted field. Is this a splunk limitation where I need to do this at Index time, or am I missing something?
Thanks!
↧