Note: Previously Add-On for HL7 (https://splunkbase.splunk.com/app/3068/)
To Be Used with HL7 Dashboard Examples App for Splunk

The value from this Add-on is derived by it's ability to:

   1. Parse every HL7 message from log entry.*
   2. Extract every segment within any HL7 v2.x message into it's own Splunk Field.**
   3. Extract every field within every segment in the message.**
   4. Provide examples on how to extract values from HL7 subfields.
        i.e. PID-5 contains family_name,given_name,middle_name,suffix,prefix,degree.
        Individual fields are created for each of these.
   5. Provide examples on how to enrich HL7 coded values with actual contextual descriptions.
        i.e. MSH-9 may have ADT^A08.
        A new field Message_Type will also be present with a value of "Update Patient Information"

   If the logs come from Cloverleaf's Interface engine there are additional extractions for thread_id, client ip, and client port.

NOTE: When migrating to Splunk 7.2 Fields from HL7 Segments will only show up in Verbose search mode because they are extracted using DELIMS and not REGEX.  Until a new version is released, if you need fields to show in SmartMode please add | field * to the end of your base search OR change your transforms like this:

[MSH_Fields]
#DELIMS = "|"
#FIELDS = MSH_2,MSH_3,MSH_4,MSH_5,MSH_6,MSH_7,MSH_8,MSH_9,MSH_10,MSH_11,MSH_12,MSH_13,MSH_14,MSH_15,MSH_16,MSH_17,MSH_18,MSH_19,MSH_20,MSH_21
REGEX = (?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|((?P[^\|]*?)\|)*((?P[^\|]*?)\|)*((?P[^\|]*?)\|)*((?P[^\|]*?)\|)*((?P[^\|]*?)\|)*((?P[^\|]*?)\|)*((?P[^\|]*?))*
SOURCE_KEY = MSH