https://community.splunk.com/t5/Security/Field-Extraction-Using-Tranforms-Configration/m-p/669104#M17392 <P>Hello,</P><P>I have some issues to perform field extractions using transform configuration. It's not giving field value pairs as expected. Sample events and configuration files are given below. Some non-uniformities within the events are also marked in Bold. Any recommendations will be highly appreciated. Thank you so much.</P><P><STRONG>My Configuration Files</STRONG></P><P>[mypropfConf]</P><P>REPORT-mytranforms=myTransConf</P><P>[myTransConf]<BR />REGEX = ([^"]+?):'([^"]+?)'<BR />FORMAT = $1::$2</P><P><STRONG>Sample Events</STRONG></P><P>2023-11-15T18:56:29.098Z OTESTN097MA4515620 TEST<STRONG>user20248:</STRONG> UserID: '90A', UserType: 'TempEMP', System: 'TEST', UAT: 'UTA-True', EventType: 'TEST', EventID: 'Lookup', Subject: 'A5367817222', Scode: '' <STRONG>EventStatus: 0</STRONG>, TimeStamp: '2023-11-03T15:56:29.099Z', Device: 'OTESTN097MA4513020', Msg: 'lookup ok', var: 'Sec'</P><P>2023-11-15T18:56:29.021Z OTESTN097MB7513020 TESTuser20249: UserID: '95B', UserType: 'TempEMP', System: 'TEST', UAT: 'UTA-True', EventType: 'TEST', EventID: 'Lookup', Subject: 'A516670222', Scode: '' EventStatus: 0, TimeStamp: '2023-11-03T15:56:29.099Z', Device: 'OTESTN097MA4513020', Msg: 'lookup ok', var: 'tec'</P><P>2023-11-15T18:56:29.009Z OTESTN097MB9513020 TESTuser20248: UserID: '95A', UserType: 'TempEMP', System: 'TEST', UAT: 'UTA-True', EventType: 'TEST', EventID: 'Lookup', Subject: 'A546610222', Scode: '' EventStatus: 0, TimeStamp: '2023-11-03T15:56:29.099Z', Device: 'OTESTN097MA4513020', Msg: 'lookup ok', var: 'test'</P><P>&nbsp;</P> Sun, 19 Nov 2023 03:11:06 GMT SplunkDash 2023-11-19T03:11:06Z https://community.splunk.com/t5/Security/Field-Extraction-Using-Tranforms-Configration/m-p/669104#M17392 <P>Hello,</P><P>I have some issues to perform field extractions using transform configuration. It's not giving field value pairs as expected. Sample events and configuration files are given below. Some non-uniformities within the events are also marked in Bold. Any recommendations will be highly appreciated. Thank you so much.</P><P><STRONG>My Configuration Files</STRONG></P><P>[mypropfConf]</P><P>REPORT-mytranforms=myTransConf</P><P>[myTransConf]<BR />REGEX = ([^"]+?):'([^"]+?)'<BR />FORMAT = $1::$2</P><P><STRONG>Sample Events</STRONG></P><P>2023-11-15T18:56:29.098Z OTESTN097MA4515620 TEST<STRONG>user20248:</STRONG> UserID: '90A', UserType: 'TempEMP', System: 'TEST', UAT: 'UTA-True', EventType: 'TEST', EventID: 'Lookup', Subject: 'A5367817222', Scode: '' <STRONG>EventStatus: 0</STRONG>, TimeStamp: '2023-11-03T15:56:29.099Z', Device: 'OTESTN097MA4513020', Msg: 'lookup ok', var: 'Sec'</P><P>2023-11-15T18:56:29.021Z OTESTN097MB7513020 TESTuser20249: UserID: '95B', UserType: 'TempEMP', System: 'TEST', UAT: 'UTA-True', EventType: 'TEST', EventID: 'Lookup', Subject: 'A516670222', Scode: '' EventStatus: 0, TimeStamp: '2023-11-03T15:56:29.099Z', Device: 'OTESTN097MA4513020', Msg: 'lookup ok', var: 'tec'</P><P>2023-11-15T18:56:29.009Z OTESTN097MB9513020 TESTuser20248: UserID: '95A', UserType: 'TempEMP', System: 'TEST', UAT: 'UTA-True', EventType: 'TEST', EventID: 'Lookup', Subject: 'A546610222', Scode: '' EventStatus: 0, TimeStamp: '2023-11-03T15:56:29.099Z', Device: 'OTESTN097MA4513020', Msg: 'lookup ok', var: 'test'</P><P>&nbsp;</P> Sun, 19 Nov 2023 03:11:06 GMT https://community.splunk.com/t5/Security/Field-Extraction-Using-Tranforms-Configration/m-p/669104#M17392 SplunkDash 2023-11-19T03:11:06Z https://community.splunk.com/t5/Security/Field-Extraction-Using-Tranforms-Configration/m-p/669108#M17393 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234909">@SplunkDash</a>,</P><P>you can use REPORT i you have a list of fields separated by comma or another char.</P><P>In your case I'd use a regex in props.conf&nbsp; like the following</P><LI-CODE lang="markup">EXTRACT-your_sourcetype = ^(?&lt;timestamp&gt;\d+-\d+-\d+T\d+:\d+:\d+\.\d+\w)\s+(?&lt;host&gt;[^ ]+)\s+(?&lt;user&gt;[^:]+):\s+UserID:\s+\'(?&lt;UserID&gt;[^\']+)\',\s+UserType:\s+\'(?&lt;UserType&gt;[^\']+)\',\s+System:\s+\'(?&lt;System&gt;[^\']+)\',\s+UAT:\s+\'(?&lt;UAT&gt;[^\']+)\',\s+EventType:\s+\'(?&lt;EventType&gt;[^\']+)\',\s+EventID:\s+\'(?&lt;EventID&gt;[^\']+)\',\s+Subject:\s+\'(?&lt;Subject&gt;[^\']+)\',\s+Scode:\s+\'(?&lt;Scode&gt;[^\']*)\'\s+EventStatus:\s+(?&lt;EventStatus&gt;\d*),\s+TimeStamp:\s*\'(?&lt;TimeStamp&gt;[^\']*)\',\s+Device:\s*\'(?&lt;Device&gt;[^\']*)\',\s+Msg:\s*\'(?&lt;Msg&gt;[^\']*)\',\s+var:\s*\'(?&lt;var&gt;[^\']*)\'</LI-CODE><P>You can test the regex at&nbsp;<A href="https://regex101.com/r/iQZi9K/1" target="_blank">https://regex101.com/r/iQZi9K/1</A></P><P>Ciao.</P><P>Guseppe</P> Sun, 19 Nov 2023 06:59:01 GMT https://community.splunk.com/t5/Security/Field-Extraction-Using-Tranforms-Configration/m-p/669108#M17393 gcusello 2023-11-19T06:59:01Z https://community.splunk.com/t5/Security/Field-Extraction-Using-Tranforms-Configration/m-p/669112#M17394 <P>I'm not sure if there was any modification to the copy-pasted config and/or events but your regex doesn't allow for spaces between the semicolon after the key name and the value.</P> Sun, 19 Nov 2023 07:56:44 GMT https://community.splunk.com/t5/Security/Field-Extraction-Using-Tranforms-Configration/m-p/669112#M17394 PickleRick 2023-11-19T07:56:44Z