topic Re: create permanent field via rest api in Getting Data In

create permanent field via rest api

snigdha9nov — Mon, 04 Feb 2019 06:57:49 GMT

can permanent field be created by using regular expression via rest api?

Re: create permanent field via rest api

harsmarvania57 — Mon, 04 Feb 2019 09:43:07 GMT

Hi,

Can you please clarify "permanent field" ? If you want to create props.conf configuration to extract field using REST API then have a look at this answer https://answers.splunk.com/answers/688049/how-do-i-alter-propsconf-via-python-sdk.html

Re: create permanent field via rest api

snigdha9nov — Mon, 04 Feb 2019 09:55:00 GMT

I am trying this
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=image -d stanza=openstack -d type=EXTRACT -d "value= ^(?:[^\.\n]*\.){6}(?P[^ ]+)"
I can see this extracted field in field extraction but when I see my dataset "openstack" with search app ,it is not coming as interesting field in left side.i want to see it permanently as interested field.

Re: create permanent field via rest api

harsmarvania57 — Mon, 04 Feb 2019 10:02:24 GMT

Looks like your regex is wrong or splunk answers website removed certain part of regex. Always use 101010 button when posting code or regex.

Can you please confirm your regex, is this ^(?:[^\.\\n]*\.){6}(?P[^ ]+) OR ^(?:[^\.\\n]*\.){6}(?P<ext_field>[^ ]+)

Re: create permanent field via rest api

snigdha9nov — Mon, 04 Feb 2019 10:38:41 GMT

I am trying to use this command from splunk rest api reference manual
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=port -d stanza=ftp_log -d type=EXTRACT -d "value=port (?\d+)"

but confused with "value=port (?\d+)" what is "port" before regular expression

Re: create permanent field via rest api

harsmarvania57 — Mon, 04 Feb 2019 10:42:57 GMT

That is part of regular expression which should match something like port 1234 and from this match it will extract 1234 in port_number field.

Re: create permanent field via rest api

snigdha9nov — Mon, 04 Feb 2019 10:53:20 GMT

so if I want to extract field by regex I want to give name"image"...how should be the command
stanza = openstack(source or source type)
type =Extract
value=??
name??
what should be name and value

Re: create permanent field via rest api

harsmarvania57 — Mon, 04 Feb 2019 11:33:47 GMT

In stanza you need to provide host,source or sourcetype. I guess if you want to provide host or source then stanza should be like host::yourhostname or source::yoursourcename

In value you need to provide your regular expression, let's say your _raw data is This is myimage and you want to extract myimage in image field then your regular repression should be like this ^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$ , sample data with regex https://regex101.com/r/3G2UsI/1

In name, it will be user friendly name for this configuration(stanza).

Re: create permanent field via rest api

snigdha9nov — Tue, 05 Feb 2019 06:12:27 GMT

Are you sure host::yourhostname or source::source name is a correct way for stanza...
I mentioned stanza=mysoucename..and can see my extracted field in field extractions in same way as I did in splunkweb page with regex. ..but unable to see it on left side as interesting field.

Re: create permanent field via rest api

harsmarvania57 — Tue, 05 Feb 2019 09:02:17 GMT

Yes I am sure, for host and source you need to use host::yourhostname and source::yoursourcename, for sourcetype you do not need to use any prefix.

For sourcetype you can use stanza=yoursourcetype

Re: create permanent field via rest api

snigdha9nov — Tue, 05 Feb 2019 09:13:27 GMT

okk..thanks a lot....i was getting stuck with it.

Re: create permanent field via rest api

harsmarvania57 — Tue, 05 Feb 2019 09:32:03 GMT

Summarizing comments into answer.

To create props configuration using REST API , below parameter require.

name - User friendly name of the stanza.
stanza - Here you can define stanza based on host, source or sourcetype. For host, stanza will be stanza="host::yourhostname, for source stanza will be stanza="source::yoursource" and for sourcetype you do not need to provide any prefix so stanza will be stanza=yoursourcetype
type - Depend on your requirement, if you want to use transforms.conf then specify REPORT or if you want to use Inline regex then specify EXTRACT
value - For Inline REGEX (Aka EXTRACT) provide your regular expression for example : "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$" or if you want to use transforms (Aka REPORT) then provide comma or space delimited transforms list.

For example: I have raw data This is myimage with sourcetype mysourcetype and I want to extract myimage word from raw data in image field then we can use below curl to fire POST REST API, below curl command will create Private Field Extractions in search app and owner will be admin user.

curl -vk -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=test -d stanza=mysourcetype -d type=EXTRACT -d "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$"