https://community.splunk.com/t5/Getting-Data-In/Dynamically-Extract-Fields-at-Search-Time/m-p/688091#M114608 <P><FONT face="courier new,courier">EXTRACT</FONT> props do not invoke a transform.&nbsp; Use <FONT face="courier new,courier">REPORT</FONT>, instead.</P> Tue, 21 May 2024 00:23:37 GMT richgalloway 2024-05-21T00:23:37Z https://community.splunk.com/t5/Getting-Data-In/Dynamically-Extract-Fields-at-Search-Time/m-p/688082#M114607 <P>Hello,</P> <P>I'm trying to dynamically set some extractions to save myself time and effort from writing hundreds of extractions.</P> <P>In my orgs IdAM solution, we have hundreds of various user claims.</P> <P>ie)</P> <P>&nbsp;<SPAN class="">Data=</SPAN><SPAN>{"</SPAN><SPAN class="">Claims</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class=""><A href="http://wso2.org/claims/user" target="_blank" rel="noopener">http://wso2.org/claims/user</A></SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">username</SPAN><SPAN>","</SPAN><SPAN class=""><A href="http://wso2.org/claims/role" target="_blank" rel="noopener">http://wso2.org/claims/role</A></SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">user_role</SPAN><SPAN>",...etc}</SPAN></P> <P><SPAN>I would like to set up a single extraction that will extract all of these claims.</SPAN></P> <P>My idea was the following</P> <LI-CODE lang="markup">props.conf EXTRACT-nrl_test = MatchAllClaims transforms.conf [MatchAllClaims] FORMAT = user_$1::$2 REGEX = \"http:\/\/wso2.org\/claims\/(\w+)\":\"([^\"]+) MV_ADD = true</LI-CODE> <P>&nbsp;</P> <P>I was hoping this would extract the field dynamically, but it did not work.</P> <P>is there a way to accomplish this with one extraction?</P> <P>&nbsp;</P> <P>Thank you</P> Mon, 20 May 2024 20:42:47 GMT https://community.splunk.com/t5/Getting-Data-In/Dynamically-Extract-Fields-at-Search-Time/m-p/688082#M114607 nateloepker 2024-05-20T20:42:47Z https://community.splunk.com/t5/Getting-Data-In/Dynamically-Extract-Fields-at-Search-Time/m-p/688091#M114608 <P><FONT face="courier new,courier">EXTRACT</FONT> props do not invoke a transform.&nbsp; Use <FONT face="courier new,courier">REPORT</FONT>, instead.</P> Tue, 21 May 2024 00:23:37 GMT https://community.splunk.com/t5/Getting-Data-In/Dynamically-Extract-Fields-at-Search-Time/m-p/688091#M114608 richgalloway 2024-05-21T00:23:37Z https://community.splunk.com/t5/Getting-Data-In/Dynamically-Extract-Fields-at-Search-Time/m-p/688103#M114610 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252225">@nateloepker</a>&nbsp;,</P><P>your data seems to have a json format, did you tried using INDEXED_EXTRACTIONS = json in your sourcetype definition oer the spath command (<A href="https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Spath)?" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Spath)?</A></P><P>Ciao.</P><P>Giuseppe</P> Tue, 21 May 2024 05:36:49 GMT https://community.splunk.com/t5/Getting-Data-In/Dynamically-Extract-Fields-at-Search-Time/m-p/688103#M114610 gcusello 2024-05-21T05:36:49Z https://community.splunk.com/t5/Getting-Data-In/Dynamically-Extract-Fields-at-Search-Time/m-p/688202#M114621 <P>hey <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a> ,</P><P>JSON extractions will not work for this. The full event is not in JSON, only the data portion</P><P>example event (without all of the claims)...</P><P>TID: [-1234]&nbsp; [2024-05-21 17:40:35,777] [asdf-asdf-asdf-asdf-asdf ] INFO {AUDIT_LOG} - Initiator=initiator Action=action Target=target Data= <SPAN>{"</SPAN><SPAN class="">Claims</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{ "<SPAN class=""><A href="http://wso2.org/claims/" target="_blank" rel="noopener">http://wso2.org/claims/</A></SPAN>username":"user", "<SPAN class=""><A href="http://wso2.org/claims/" target="_blank" rel="noopener">http://wso2.org/claims/</A></SPAN>role":"role"}}</SPAN></P> Tue, 21 May 2024 17:46:06 GMT https://community.splunk.com/t5/Getting-Data-In/Dynamically-Extract-Fields-at-Search-Time/m-p/688202#M114621 nateloepker 2024-05-21T17:46:06Z https://community.splunk.com/t5/Getting-Data-In/Dynamically-Extract-Fields-at-Search-Time/m-p/688203#M114622 <P>Thank you, good catch. Not sure how I messed that up.</P><P>I have corrected that error now, but I still do not get multiple fields extracted from this single extraction.</P> Tue, 21 May 2024 17:47:11 GMT https://community.splunk.com/t5/Getting-Data-In/Dynamically-Extract-Fields-at-Search-Time/m-p/688203#M114622 nateloepker 2024-05-21T17:47:11Z