问题
My splunk log format has key value pairs but one key has caller details which is neither in JSON nor in XML format. It is some internal format for records.
JSON logs I can parse with sPath but is there any way so that I can parse custom formats.
For example my logs are in following format
Key1=value1 | Key2=value2 | key3=({intern_key1=value1; inern_key2=value2; intern_key3=value3}; {intern_key1=value1; inern_key2=value2; intern_key3=value3}; {intern_key1=value1; inern_key2=value2; intern_key3=value3})
Basically format is like
({key=value; key=value ; key=value} ; {key=value; key=value ; key=value} ; {key=value; key=value ; key=value} ; {key=value; key=value ; key=value})
Is there any way to parse this in Splunk ?
回答1:
I added a oneshot upload of a text file with the following contents on 1 line with default settings in Splunk 6.2.3
Key1=value1 | Key2=value2 | key3=({intern_key1=value1; inern_key2=value2; intern_key3=value3}; {intern_key1=value1; inern_key2=value2; intern_key3=value3}; {intern_key1=value1; inern_key2=value2; intern_key3=value3})
After indexing the file, I ran the following search
source="/some/path/to/foo.txt" | table Key1 Key2 key3 intern_key1 inern_key2 intern_key3
After exporting the results to CSV, I got the following (the first row is field names, the second row is values)
Key1,Key2,key3,"intern_key1","inern_key2","intern_key3"
value1,value2,"({intern_key1=value1; inern_key2=value2; intern_key3=value3}; {intern_key1=value1; inern_key2=value2; intern_key3=value3}; {intern_key1=value1; inern_key2=value2; intern_key3=value3})",value1,value2,value3
I don't think you should have any problems, you may want to do some custom field extractions to make sure you're getting all the data parsed into fields. If "intern_key1", for example, has multiple values you'll want to configure the way events break. So, instead of breaking on newlines, maybe you want to break on semicolons instead.
来源:https://stackoverflow.com/questions/31341915/splunk-custom-log-format-parsing