https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405364#M117173 <P>HI,</P> <P>if you want to add a search time field extraction within props.conf, just use <CODE>EXTRACT</CODE></P> <PRE><CODE>[your-sourcetype] EXTRACT-&lt;class&gt; = [&lt;regex&gt;|&lt;regex&gt; in &lt;src_field&gt;] * Used to create extracted fields (search-time field extractions) that do not reference transforms.conf stanzas. </CODE></PRE> <P>for reference see : <A href="http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Propsconf</A></P> <P>Please keep in mind that this will require a refresh/debug= <CODE>http[s]://[splunkweb hostname]:[splunkweb port]/debug/refresh</CODE></P> Wed, 28 Nov 2018 07:40:12 GMT dkeck 2018-11-28T07:40:12Z https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405363#M117172 <P>Hi All,</P> <P>How do I write a regular expression in props.conf for only one field ?</P> <P>like rex field=ab "regex"</P> <P>thanks<BR /> Rakesh</P> Wed, 28 Nov 2018 07:07:10 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405363#M117172 rakeshksingh 2018-11-28T07:07:10Z https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405364#M117173 <P>HI,</P> <P>if you want to add a search time field extraction within props.conf, just use <CODE>EXTRACT</CODE></P> <PRE><CODE>[your-sourcetype] EXTRACT-&lt;class&gt; = [&lt;regex&gt;|&lt;regex&gt; in &lt;src_field&gt;] * Used to create extracted fields (search-time field extractions) that do not reference transforms.conf stanzas. </CODE></PRE> <P>for reference see : <A href="http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Propsconf</A></P> <P>Please keep in mind that this will require a refresh/debug= <CODE>http[s]://[splunkweb hostname]:[splunkweb port]/debug/refresh</CODE></P> Wed, 28 Nov 2018 07:40:12 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405364#M117173 dkeck 2018-11-28T07:40:12Z https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405365#M117174 <P>Hi </P> <P>tried but no luck.</P> <P>[your-sourcetype]<BR /><BR /> EXTRACT-ab1 = [(?{.) in ab]</P> <P>Could you take a look and guide me which part i am missing ?</P> Wed, 28 Nov 2018 08:46:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405365#M117174 rakeshksingh 2018-11-28T08:46:42Z https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405366#M117175 <P>tried below also but no luck.</P> <P>EXTRACT-ab1 = (?{.) in ab</P> <P>ab as field name</P> <P>and tried with props and conf but no luck</P> <P>[mysourcetype]</P> <P>REPORT-myextract = myextract</P> <P>Then in transforms.conf:</P> <P>[myextract]</P> <P>SOURCE_KEY = ab</P> <P>REGEX = regex</P> Wed, 28 Nov 2018 10:15:52 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405366#M117175 rakeshksingh 2018-11-28T10:15:52Z https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405367#M117176 <P>Do you have an example of the data? </P> <P>Did you test your regex? for example here: <A href="https://regex101.com/">https://regex101.com/</A></P> <P>Syntax for EXTRACT should look like this : </P> <PRE><CODE>EXTRACT-threadid = (?&lt;threadid&gt;[0-9A-Fa-f]+)\s+ </CODE></PRE> Wed, 28 Nov 2018 10:24:26 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405367#M117176 dkeck 2018-11-28T10:24:26Z https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405368#M117177 <P>Those square brackets shouldn't be there.</P> Wed, 28 Nov 2018 10:28:04 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405368#M117177 FrankVl 2018-11-28T10:28:04Z https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405369#M117178 <P>Your EXTRACT doesn't look like a valid regex (but perhaps some characters went missing by posting it here without using the post as code option (use the 101010 button in the message editor toolbar, or enclose the code in `)</P> <P>Your transforms is impossible to comment on without posting the actual regex. Does that include named capturing groups (e.g. <CODE>(?&lt;fieldname&gt;regex)</CODE>? Otherwise you also need a FORMAT setting to specify what field(s) the capture group(s) should be mapped to.</P> Wed, 28 Nov 2018 10:29:54 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405369#M117178 FrankVl 2018-11-28T10:29:54Z https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405370#M117179 <P>Thanks for response,</P> <P>in ab field, data is on json format</P> Wed, 28 Nov 2018 17:59:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-write-a-Regular-expression-in-props-conf-for-only-one/m-p/405370#M117179 rakeshksingh 2018-11-28T17:59:21Z