HL7 Add-On for Splunk

Note: Previously Add-On for HL7 (https://splunkbase.splunk.com/app/3068/) To Be Used with HL7 Dashboard Examples App for Splunk The value from this Add-on is derived by it's ability to: 1. Parse every HL7 message from log entry.* 2. Extract every segment within any HL7 v2.x message into it's own Splunk Field.** 3. Extract every field within every segment in the message.** 4. Provide examples on how to extract values from HL7 subfields. i.e. PID-5 contains family_name,given_name,middle_name,suffix,prefix,degree. Individual fields are created for each of these. 5. Provide examples on how to enrich HL7 coded values with actual contextual descriptions. i.e. MSH-9 may have ADT^A08. A new field Message_Type will also be present with a value of "Update Patient Information" If the logs come from Cloverleaf's Interface engine there are additional extractions for thread_id, client ip, and client port. NOTE: When migrating to Splunk 7.2 Fields from HL7 Segments will only show up in Verbose search mode because they are extracted using DELIMS and not REGEX. Until a new version is released, if you need fields to show in SmartMode please add | field * to the end of your base search OR change your transforms like this: [MSH_Fields] #DELIMS = "|" #FIELDS = MSH_2,MSH_3,MSH_4,MSH_5,MSH_6,MSH_7,MSH_8,MSH_9,MSH_10,MSH_11,MSH_12,MSH_13,MSH_14,MSH_15,MSH_16,MSH_17,MSH_18,MSH_19,MSH_20,MSH_21 REGEX = (?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|(?P[^\|]*?)\|((?P[^\|]*?)\|)*((?P[^\|]*?)\|)*((?P[^\|]*?)\|)*((?P[^\|]*?)\|)*((?P[^\|]*?)\|)*((?P[^\|]*?)\|)*((?P[^\|]*?))* SOURCE_KEY = MSH