https://community.splunk.com/t5/Splunk-Search/Regex-after-delimited-field-extraction/m-p/64757#M15992 <P>Ah. That's pretty cool. I will try this on Monday. Thanks!</P> Fri, 14 Dec 2012 22:44:29 GMT tnkoehn 2012-12-14T22:44:29Z https://community.splunk.com/t5/Splunk-Search/Regex-after-delimited-field-extraction/m-p/64754#M15989 <P>After a delimited field extraction in transforms.conf, I have a field called Gateway_Name that contains, for example, a value of "den01gsx01". I am trying to perform a regex on that field in props.conf to extract "den01". I was told I could to it this way but I do not even get a Site field extracted. </P> <PRE><CODE>My props.conf looks like this: [test] REPORT-parsefields = test_parse EXTRACT-site = (?&lt;Site&gt;^\w{5}) in Gateway_Name My transforms.conf looks like this: [test_parse] DELIMS = "|" FIELDS = "Event_Header", "Gateway_Name", "Accounting_ID", "Start_Date", "Start_Time", "Disconnect_Date", "Disconnect_Time", "Call_Duration", "Disconnect_Reason", "Service_Delivered", "Call_Direction", "Calling_Number", "Called_Number", "Billing_Number", "Route_Label" </CODE></PRE> <P>Am I doing something wrong? Is there a better way?</P> Fri, 14 Dec 2012 17:48:20 GMT https://community.splunk.com/t5/Splunk-Search/Regex-after-delimited-field-extraction/m-p/64754#M15989 tnkoehn 2012-12-14T17:48:20Z https://community.splunk.com/t5/Splunk-Search/Regex-after-delimited-field-extraction/m-p/64755#M15990 <P>REPORT rules fire <EM>after</EM> EXTRACT rules; the Gateway_Name field won't exist to look for Site within it (EXTRACT-site). Consider a regular expression that's anchored on the delimiter.</P> <P>You can try something like <CODE>([^|])*|){&lt;N&gt;}</CODE> where N is the number of pipe-separated fields to skip. Looks like it should be 1.</P> Fri, 14 Dec 2012 18:02:42 GMT https://community.splunk.com/t5/Splunk-Search/Regex-after-delimited-field-extraction/m-p/64755#M15990 sowings 2012-12-14T18:02:42Z https://community.splunk.com/t5/Splunk-Search/Regex-after-delimited-field-extraction/m-p/64756#M15991 <P>REPORT runs after EXTRACT as sowings says, but you can quite simply get the effect you want by setting up your EXTRACT-site rule as a REPORT instead. REPORTS are processed in lexicographic order, so you can just do props.conf:</P> <PRE><CODE>[test] REPORT-parsefields = test_parse REPORT-site = site </CODE></PRE> <P>which will run REPORT-site/site <EM>after</EM> REPORT-parsefields/test_parse. Then in transforms.conf, you would add:</P> <PRE><CODE>[site] SOURCE_KEY = Gateway_Name REGEX = (?&lt;Site&gt;^\w{5}) </CODE></PRE> Fri, 14 Dec 2012 20:43:17 GMT https://community.splunk.com/t5/Splunk-Search/Regex-after-delimited-field-extraction/m-p/64756#M15991 gkanapathy 2012-12-14T20:43:17Z https://community.splunk.com/t5/Splunk-Search/Regex-after-delimited-field-extraction/m-p/64757#M15992 <P>Ah. That's pretty cool. I will try this on Monday. Thanks!</P> Fri, 14 Dec 2012 22:44:29 GMT https://community.splunk.com/t5/Splunk-Search/Regex-after-delimited-field-extraction/m-p/64757#M15992 tnkoehn 2012-12-14T22:44:29Z https://community.splunk.com/t5/Splunk-Search/Regex-after-delimited-field-extraction/m-p/64758#M15993 <P>Worked great! Thx!</P> Tue, 18 Dec 2012 17:16:40 GMT https://community.splunk.com/t5/Splunk-Search/Regex-after-delimited-field-extraction/m-p/64758#M15993 tnkoehn 2012-12-18T17:16:40Z