Regex concatenation in props & transforms

ialahdal — Wed, 30 Sep 2020 04:09:00 GMT

I am using regex to extract a field but I need 2 different regex.
so under transforms.conf I made 2 different regex but with the same field, under props I called them.

I seek to achieve 3 things,

1- mask data in uri if needed
2- concatenate fields if masked
3- extract uri

URIs come in 2 different forms
1- uri_path all letters with 1 field to extract: i.e /Core/Test/

2- uri_path_profile letters & numbers with 3 fields to extract i.e
*/Test/?id={NIN}&contactType={type}
* where NIN is any 10 digit combination, and type is one out 3 possible strings

transforms.conf

#Field extraction for uri path
[uri_path]
REGEX = uri":"([\/A-Za-z]+)
FORMAT = uri::$1

[uri_path_profile]
REGEX = uri":"([\/A-Za-z]+)\?id=(\w+)&contactType=(\w+)
FORMAT = uri::$1?id=NIN&contactType=$3 NIN::$2 contact_type::$3

My end goal is to have both extracted regex into one field called uri but since the fields in the 2nd stanza is dynamic and will have a lot of entries i'd like them to all be made into one which would be
uri=/Test/?id=NIN&contactType=(group_3_value) so even if NIN has thousands of different records it will only show the 3 different strings at the end

is this doable?

Re: Regex concatenation in props & transforms

ialahdal — Wed, 12 Feb 2020 08:08:55 GMT

I solved this by using EVAL in props.conf

EVAL-url = if(isnull(contact_type),url,url . "/NIN/contactType/" . contact_type)

transforms.conf

[uri_path_1]
REGEX = uri":"(?<url>[\/A-Za-z]+)


[uri_path_2]
REGEX = uri":"(?<url>[\/A-Za-z]+)\?id=(?<NIN>\w+)&contactType=(?<contact_type>\w+)

topic Re: Regex concatenation in props & transforms in Splunk ITSI

Regex concatenation in props & transforms

Re: Regex concatenation in props & transforms