https://stackoverflow.com/questions/15949688
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianYou can create two search-time field extractions to create fields for TimeTaken and Action.
You will need to define a regular expression for each field, this should be straightforward given the format you describe.
Indexing Azure WAD logs data to extract fields on import to splunk
Question
we have data that comes from windows azure WADLogs, which I export comma separated and ends up looking like this:
"0635010205200000000","d921c47290f944a69c3394373b5c5988___Pricing.Api___Pricing.Api_IN_0___0000000001652031516___WADLogsLocalQuery",2013-04-08T12:24:04.8000293Z,635010205409475113,"deploymentid","Role","Role_IN_0",5,2,608,3232,"TimeTaken::16043 ms to perform Action::'some action'; TraceSource 'PricingApiTrace' event"
I want to extract fields called TimeTaken with a value of 16043 and Action with a value of 'some action'.
I can change the format of the bit starting '"TimeTaken ' if that would make things easier, and was hoping, after reading that :: automatically created fields that using the format above would allow the indexing to create the fields automatically, but it seems that this is not the case.
Any pointers?
Solution
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
