Hello everybody
I am new to the regex topic.
I have events with folowing information:
SPIEE-WIRELESS-MIB::**bsnStationMacAddress**.0 = STRING: **a9:12:fa:13:19:8F**
CISCO-LWAPP-UMBH-CALLT-MIB::**cldcClientSSID**.0 = STRING: **Campus-WLAN**
As we can see, we can present these two (and further logs) in following format:
blabla-MIB::**FIELDNAME**.0 = Blabla: **FIELDVALUE**
I **have to** apply this extraction in transforms.conf
My idea is:
[mytransform]
REGEX= (?:.*\-MIB::)(.+)(?:\.0\s\=\s[a-zA-Z0-9]+:\s)(.+)
FORMAT= $1::$2
Both (.+) are the field names and field values. I have extracted them as groups but how do I define them as a Splunk fieldname and field value?
Thank you in advance
↧