Hello everybody
I am new to the regex topic.
I have events with folowing information:
SPIEE-WIRELESS-MIB::**bsnStationMacAddress**.0 = STRING: **a9:12:fa:13:19:8F**
CISCO-LWAPP-UMBH-CALLT-MIB::**cldcClientSSID**.0 = STRING: **Campus-WLAN**
As we can see, we can present these two (and further logs) in folowing format
blabla-MIB::**FIELDNAME**.0 = Blabla: **FIELDVALUE**
I **have to** apply this exraction in transforms.conf
My idea is:
[mytransform]
REGEX= (?:.*\-MIB::)(.+)(?:\.0\s\=\s[a-zA-Z0-9]+:\s)(.+)
FORMAT= $1::$2
The both (.+) are the field name and field value. I have extracted them as groups but how do i define them as a Splunk fieldname and field value
Thank you in advance
↧