https://community.splunk.com/t5/Splunk-Search/Getting-the-wrong-fields-extracted-from-my-props-and-transforms/m-p/400800#M116076 <P>Can you provide a sample event?</P> Fri, 19 Jul 2019 04:20:10 GMT justinatpnnl 2019-07-19T04:20:10Z https://community.splunk.com/t5/Splunk-Search/Getting-the-wrong-fields-extracted-from-my-props-and-transforms/m-p/400799#M116075 <P>So i'm trying to extract and ip address from a multi-value field<BR /> and my transforms stanza is something along these lines</P> <P>transforms.conf<BR /> [ip]<BR /> REGEX = ((?:(?:\d{1,3}.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z.]+)?(?:::)?)|(?:::[\dA-Fa-f.]{1,15})|(?:::)]*)<BR /> FORMAT = IP::$1</P> <P>props.conf</P> <P>[host::hostname]<BR /> TIME_FORMAT = %a %b %d %H:%M:%S %T %Y<BR /> KV_MODE = none<BR /> SHOULD_LINEMERGE = false<BR /> REPORT-ip = ip</P> <P>So this works, however it also extracts the source, sourcetype and host values in my new ip field.<BR /> So i have random fields that look like IP= source::source|host::host|sourcetype.</P> <P>I could really use some help in trying to figure out why these extra values are being extracted.</P> Wed, 30 Sep 2020 01:24:59 GMT https://community.splunk.com/t5/Splunk-Search/Getting-the-wrong-fields-extracted-from-my-props-and-transforms/m-p/400799#M116075 Sparky1 2020-09-30T01:24:59Z https://community.splunk.com/t5/Splunk-Search/Getting-the-wrong-fields-extracted-from-my-props-and-transforms/m-p/400800#M116076 <P>Can you provide a sample event?</P> Fri, 19 Jul 2019 04:20:10 GMT https://community.splunk.com/t5/Splunk-Search/Getting-the-wrong-fields-extracted-from-my-props-and-transforms/m-p/400800#M116076 justinatpnnl 2019-07-19T04:20:10Z https://community.splunk.com/t5/Splunk-Search/Getting-the-wrong-fields-extracted-from-my-props-and-transforms/m-p/400801#M116077 <P>Are you on a single server instance?</P> <P>What if you try using only props? Something like below in props.conf in place of REPORT...</P> <PRE><CODE> EXTRACT-ip = (?&lt;ip&gt;(?:(?:\d{1,3}.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z.]+)?(?:::)?)|(?:::[\dA-Fa-f.]{1,15})|(?:::)]*) </CODE></PRE> Fri, 19 Jul 2019 04:38:07 GMT https://community.splunk.com/t5/Splunk-Search/Getting-the-wrong-fields-extracted-from-my-props-and-transforms/m-p/400801#M116077 jkat54 2019-07-19T04:38:07Z https://community.splunk.com/t5/Splunk-Search/Getting-the-wrong-fields-extracted-from-my-props-and-transforms/m-p/400802#M116078 <P>Thank you, i tried this and I'm still getting the same results. Although I've noticed that my issue only occurs when I run a search with data from 2 sources.<BR /> One of the sources is the one i want my extractions to match against<BR /> and the other source shouldn't be getting matched </P> <P>My props stanza should only be matching hosts like this:<BR /> [host::(?-i)hostname1*]</P> <P>but it's also matching and performing extractions(incorrectly) against the hosts that don't match my stanza</P> Fri, 19 Jul 2019 14:21:31 GMT https://community.splunk.com/t5/Splunk-Search/Getting-the-wrong-fields-extracted-from-my-props-and-transforms/m-p/400802#M116078 Sparky1 2019-07-19T14:21:31Z https://community.splunk.com/t5/Splunk-Search/Getting-the-wrong-fields-extracted-from-my-props-and-transforms/m-p/400803#M116079 <P>Do you have any other props defined that are overriding / adding to the mix?</P> <PRE><CODE> ./splunk btool props list --debug </CODE></PRE> Fri, 19 Jul 2019 14:36:25 GMT https://community.splunk.com/t5/Splunk-Search/Getting-the-wrong-fields-extracted-from-my-props-and-transforms/m-p/400803#M116079 jkat54 2019-07-19T14:36:25Z https://community.splunk.com/t5/Splunk-Search/Getting-the-wrong-fields-extracted-from-my-props-and-transforms/m-p/400804#M116080 <P>It's very possible. I just ran the debug command you suggested, and I've got a couple thousand lines to sift through</P> Fri, 19 Jul 2019 18:06:47 GMT https://community.splunk.com/t5/Splunk-Search/Getting-the-wrong-fields-extracted-from-my-props-and-transforms/m-p/400804#M116080 Sparky1 2019-07-19T18:06:47Z