The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: Delimiting Log Files

Previous Topic: Sun T5120/T5220  |   Next Topic: Classify and search syslog-data by Facility


Posts 1–3 of 3
1
posted by: jayers6795  |  posts
date: September 10, 2009
permalink

I have log data that isn't picking up what I need in the auto field population. It seems to be in the body of the message. After researching - it's become obvious I need to set a delimiter however - it's not quite obvious to me what to delimit in these logs.

These are Juniper SSL VPN Logs

Sep 10 23:12:19 192.168.1.1 Juniper: 2009-09-11 04:12:19 - MyDeviceName - [192.168.1.1] MyBusiness::MyUserid(MyBusiness)[@Posture1, @Posture2, @Posture3] - WebRequest ok : Host: mymail.domain.com, Request: POLL /exchange/MyUserid/Tasks HTTP/1.1

I need to be able to develop queries that give me MyBusiness - MyUserid - Listing of the postures.
Any suggestions on what delimiters to use? I got : but am not sure if [ ] are considered delimiters as well.

2
posted by: jayers6795  |  posts
date: September 11, 2009
permalink

I got the answer and ended up using regex expressions to generate the fields I needed.

3
posted by: jgoldbrg  |  posts
date: October 16, 2009
permalink

Can you post the solution because I am having a similar issue?