topic Is it possible to do search time field extraction based punct in Getting Data In

Is it possible to do search time field extraction based punct

fredclown — Wed, 06 Aug 2025 15:02:48 GMT

I have events in a log file and they have different formats from event to event. I'm wondering if there is any way to use the punct field to do conditional field extraction? Let's say I have these two punct formats ...

___::_---..__//:::__---_--_:______:____-___-__..._

___::_---..__//:::__---_--_:______:___...:_-__...:

Edit:

I'm specifically asking about doing it with props and transforms so that the fields are reusable.

Re: Is it possible to do search time field extraction based punct

PrewinThomas — Wed, 06 Aug 2025 04:35:59 GMT

@fredclown

Yes. You can use it for conditional field extraction.

eg:

| makeresults count=2 | streamstats count as row | eval _raw=case( row=1, "abc::123-45..xy//:::zz-88-99:demo...end", row=2, "abc:123-45..xy//:::zz-88-99:demo:from...:demo...:" ) | eval punct=replace(_raw, "[A-Za-z0-9]", "_") | eval type=case( match(punct, "\\.\\.\\.___$"), "Type A", match(punct, "\\.\\.\\.:$"), "Type B", true(), "Unknown" ) | table row _raw punct type

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Re: Is it possible to do search time field extraction based punct

fredclown — Wed, 06 Aug 2025 15:02:06 GMT

Thanks, and sorry I was not clear enough. I want to do this with props and transforms so that the fields are reusable.

Re: Is it possible to do search time field extraction based punct

PickleRick — Wed, 06 Aug 2025 16:08:16 GMT

punct is (if it's generated, because its creation can be disabled) an indexed field like any other so you can use it. But the question is what do you mean by "conditional" extraction.

Re: Is it possible to do search time field extraction based punct

isoutamo — Thu, 07 Aug 2025 07:35:24 GMT

I think that you cannot do this with props and transforms. The reason for that is the order how those different processors are done in ingestion phase. See e.g https://www.aplura.com/assets/pdf/props_conf_order.pdf

Based on that diagram, ANNOTATE_PUNCT is after Splunk has apply other props and transforms stuff and events cannot go backwards on ingestion pipeline.