https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-add-regex-to-transforms-conf/m-p/77439#M4902 <P>Hi,<BR /> I have some data like this.</P> <PRE><CODE>D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001 D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001 D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001 D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001 D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001 </CODE></PRE> <P>I have to extract the fields from these. but the problem is IFE cannot extract as i want to.<BR /> cuz the fields are like this. have to extract them one by one. I don't know that much REGEX.</P> <P>D<BR /> HE12<BR /> 20130325<BR /> 21002200<BR /> GTB27000<BR /> etc<BR /> etc</P> <P>Please help.<BR /> I think i have to manually edit tranforms.conf and props.conf to do the translations right?</P> <P>Thanks in advance</P> <P>Chamil</P> Thu, 28 Mar 2013 08:09:39 GMT chamil3001 2013-03-28T08:09:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-add-regex-to-transforms-conf/m-p/77439#M4902 <P>Hi,<BR /> I have some data like this.</P> <PRE><CODE>D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001 D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001 D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001 D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001 D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001 </CODE></PRE> <P>I have to extract the fields from these. but the problem is IFE cannot extract as i want to.<BR /> cuz the fields are like this. have to extract them one by one. I don't know that much REGEX.</P> <P>D<BR /> HE12<BR /> 20130325<BR /> 21002200<BR /> GTB27000<BR /> etc<BR /> etc</P> <P>Please help.<BR /> I think i have to manually edit tranforms.conf and props.conf to do the translations right?</P> <P>Thanks in advance</P> <P>Chamil</P> Thu, 28 Mar 2013 08:09:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-add-regex-to-transforms-conf/m-p/77439#M4902 chamil3001 2013-03-28T08:09:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-add-regex-to-transforms-conf/m-p/77440#M4903 <P>If your log is really like that, with fixed-length fields concatenated together (mostly) without whitespace between them, you can do a props.conf only extraction, like so;</P> <PRE><CODE>[your_sourctype] EXTRACT-blah = (?&lt;field_name1&gt;\w{1})\s(?&lt;field_name2&gt;\w{4})(?&lt;field_name3&gt;\d{6})(?&lt;field_name4&gt;\d{6})(?&lt;field_name5&gt;\w{8}) </CODE></PRE> <P>etc etc</P> <P>field_name1 (rename it as you please) would contain the first character <CODE>\w{1}</CODE><BR /> then the space/tab is skipped <CODE>\s</CODE><BR /> field_name2 would contain the next 4 characters <CODE>\w{4}</CODE><BR /> field_name3 would contain the next 6 digits <CODE>\d{6}</CODE><BR /> etc etc </P> <P>Hope this helps, </P> <P>Kristian</P> Mon, 28 Sep 2020 13:38:02 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-add-regex-to-transforms-conf/m-p/77440#M4903 kristian_kolb 2020-09-28T13:38:02Z