Hi there,
i’m stuggeling with one of my input.
I’m getting the logs in this format, semicolons are everytime the same amount:
2018-02-08;13:19:44.489;INFORMATION;;;;2288;ReadPolicy: Configuration value read from INI file: StreamingExclusionList+=<!ctx_roamingappdata!\Microsoft\SystemCertificates>
Now i would like to extract all values between the semicolons in seperate field, but i dont know how i should use the split function corectly
I tried: split(".*",";");
Thanks and regards, Raphael
What would you expect as a result of that function invocation?
If the message has the same schema every time, you could use a Grok pattern to split it into the desired fields.
I would like to split every part of that line into an seperate field (seperated by the semicolon)
Havent worked with GROK yet 
And what would the respective field name be for each field?
Date,Time,Type,Name, Domain,User,ID,Action,Message something like that
And how would you assign these field names and values without a proper mapping?
That mapping could be done (implicitly) via Grok patterns or a regular expression with named groups.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.