topic How to extract multiple fields using the Extract property in props.conf? in Getting Data In

How to extract multiple fields using the Extract property in props.conf?

greggz — Thu, 08 Feb 2018 18:22:19 GMT

So I'm trying to extract multiple fields using the Extract property in props.conf
The source file looks like

my.prop.1=1
my.prop.2=2
my.prop.3=3
my.prop.4=4

And I want what EACH prop becomes a field. HENCE I did not used a prefix in the regex.

[my_sourcetype]
LINE_BREAKER = ((?!))
DATETIME_CONFIG=CURRENT
TRUNCATE=100000
KV_MODE = none
EXTRACT-watt_grouping = (?m)(.+?)=(.*)

I already used multiple variations of this regex and nothing seems to work. Is there anything blocking the field extraction ?

EDIT:
At search time I provided the conrresponding pipe and it seems to extract quite nicely: | extract pairdelim=",", kvdelim="=", auto=f, limit=500, mv_add=t .. Anyone knows how to make this work in transforms.conf ? I tried it with DELIMS = "\n","=" but it breaks in a specific property prop.256 = ?'- \#&@^\!%*\:$./\;,~+=)(|}{][><` .. It extracts the previous 255 props quite nicely though

Re: How to extract multiple fields using the Extract property in props.conf?

somesoni2 — Thu, 08 Feb 2018 18:50:21 GMT

Your source, is it one line per event or all those properties appear in same event? What are the fields that are automatically extracted by Splunk?

Re: How to extract multiple fields using the Extract property in props.conf?

masonmorales — Thu, 08 Feb 2018 18:54:26 GMT

Try this instead:

props.conf

[my_sourcetype]
LINE_BREAKER = ((?!))
DATETIME_CONFIG=CURRENT
TRUNCATE=100000
KV_MODE = none
REPORT-my_fields = multi_extract

transforms.conf

[multi_extract]
REGEX = (?m)(.+?)=(.*)
FORMAT = $1::$2
MV_ADD = true

Re: How to extract multiple fields using the Extract property in props.conf?

greggz — Tue, 29 Sep 2020 17:59:24 GMT

None, because I made it KV_MODE=none. No, All lines come in the same event. I purposedly made it so with the LINE_BREAKER = ((?!))

Re: How to extract multiple fields using the Extract property in props.conf?

greggz — Thu, 08 Feb 2018 18:58:46 GMT

Thanks, let me try it out

Re: How to extract multiple fields using the Extract property in props.conf?

greggz — Thu, 08 Feb 2018 19:03:18 GMT

This doesnt help.. It just clumps them all together. I want each line to become a new field with a given value.

Re: How to extract multiple fields using the Extract property in props.conf?

greggz — Thu, 08 Feb 2018 19:06:02 GMT

It just makes my.prop.1 = "1 my.prop.2 = 2 my.prop.3 = 3 ..."

Re: How to extract multiple fields using the Extract property in props.conf?

greggz — Fri, 09 Feb 2018 09:41:50 GMT

@somesoni2 ♦ Do you know how this should be done ?

Re: How to extract multiple fields using the Extract property in props.conf?

greggz — Fri, 09 Feb 2018 09:42:55 GMT

@masonmorales can you provide support to your own answer based on the feedback I gave you ?

Re: How to extract multiple fields using the Extract property in props.conf?

masonmorales — Fri, 09 Feb 2018 16:23:45 GMT

Are there always only 4 lines? If so you could just use 4 extract statements that are more specific.

Re: How to extract multiple fields using the Extract property in props.conf?

greggz — Fri, 09 Feb 2018 16:27:56 GMT

No.. they're above 400. This is the reason I don't use KV_MODE=AUTO because it has a 100 limit max extractions. The can be alphanumerical aswell or have only symbols