topic How to split field in props.conf using EVAL? in Getting Data In

How to split field in props.conf using EVAL?

nithinsplunk — Mon, 03 Jun 2019 07:27:18 GMT

raw looks like

{sector=sys code=xyz0 value=item,number name=

I tried creating new field and splitting value it worked on search string , but want to apply in props

props.conf

[sourcetype]
EXTRACT-test= value\={?P<>.+?}\sname

Created new field, field looks like

Value=item,number

But we are looking in two different lines in same filed

value=item
            number

By above code i can extract a new filed but i also want to split .

FrankVl — Mon, 03 Jun 2019 13:23:01 GMT

Not entirely clear what end result you are after. Do you want to extract the item and number parts into separate fields?

If so, just extract it like this:

[sourcetype]
EXTRACT-test= value\=(?<item>[^,]+),(?<number.+?)\sname

If you also need the combined value=item,number field extracted, you can do an EVAL to glue the 2 pieces together again:

EVAL-value = item.",".number

Alternatively, you can also do:

[sourcetype]
EXTRACT-test01= value\=(?<value>.+?)\sname
EXTRACT-test02= (?<item>[^,]+),(?<number.+) in value

If I misunderstood your question, please explain what exactly you want to achieve.

VatsalJagani — Mon, 03 Jun 2019 14:37:07 GMT

Hi @nithinsplunk,

Try if this works for you. Below configuration will extract all fields like sector, code, value, etc. (= separated)

props.conf

[sourcetype]
REPORT-extract_fields = extract_fields_tr

transforms.conf

[extract_fields_tr]
REGEX  = ([^=\s{]*)=([^\s}]*)
FORMAT = $1::$2

Hope this helps!! If for any events fields are not getting extracted, please comment full _raw event.