We have log entries similar to below and while I can write a regex expression to parse out all the kv pairs separated by a :, I wanted to know if there was a way I could use extract kvdelim to do the same. Note that all the k:v pairs come AFTER the % expression. In this case they also come after the = sign (Some logs do not have the = sign)
Jan 5 18:21:49.817: %VOIPAAA-5-VOIP_FEAT_HISTORY: FEAT_VSA=fn:TWC,ft:01/05/2012 18:21:34.254,cgn:3333,cdn:1023,frs:0,fid:1013,fcid:EDD6080E370011E18A2BC77F1C86C06D,legID:455,bguid:EDD6080E370011E18A2BC77F1C86C06D
I'm trying to do it via the search first before putting it into the transforms.conf so my search currently is
FEAT_HISTORY | extract pairdelim="=%",kvdelim=":"
but that doesn't work, it doesn't extract the k:v pairs in the above. Is there a way I can get the above to work or should I just stick with the long regex expression I've created?
Thanks
ref 1: http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Extract
ref 2: http://blogs.splunk.com/2008/02/12/delimiter-based-key-value-pair-extraction/
↧