topic Transform regex resulting in host=$1 in search results in Splunk Search

Transform regex resulting in host=$1 in search results

jlixfeld — Mon, 03 Oct 2011 21:50:40 GMT

I've clearly munged something in my transform:

# props.conf

[snmp-trap]
pulldown_type = true 
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = snmp-trap-host
REPORT-snmp-trap = snmp-trap-extractions
SHOULD_LINEMERGE = False


#transform.comf
[snmp-trap-host]
DEST_KEY = MetaData:Host
REGEX = (?:[0-9]{1,3}\.){3}[0-9]{1,3}
FORMAT = host::$1

[snmp-trap-extractions]
REGEX = ^(\d{4}-\d{2}-\d{2})\s(\d{2}:\d{2}:\d{2})\s([a-zA-Z]*)
FORMAT = trap_oid::$3

After | deleting, deleting and re-adding the data input file, my searches are returning:

10/3/11
5:33:40.000 PM  
2011-10-03 17:33:40 mplsVrfIfDown Warning "Status Events" 10.219.49.31 - interface: unknown (index: 275) vrf: Inetv4
host=$1  sourcetype=snmp-trap  source=/var/log/snmptt/snmptt.log

however it should read host=10.219.49.31.

The initial entry from /var/log/snmptt/snmptt.log reads as follows:

2011-10-03 17:33:40 mplsVrfIfDown Warning "Status Events" 10.219.49.31 - interface: unknown (index: 275) vrf: Inetv4

Anyone have any pointers?

Re: Transform regex resulting in host=$1 in search results

_d_ — Mon, 03 Oct 2011 22:34:58 GMT

Try wrapping your REGEX = (?:[0-9]{1,3}.){3}[0-9]{1,3} in parenthesis as such:
REGEX = ((?:[0-9]{1,3}.){3}[0-9]{1,3})

Re: Transform regex resulting in host=$1 in search results

gkanapathy — Mon, 03 Oct 2011 22:51:16 GMT

Or simply change the (?:...) (non-capturing group) to a (?...) (capturing group). $1 refers to the contents of the first capturing group in the regex.

Re: Transform regex resulting in host=$1 in search results

_d_ — Mon, 03 Oct 2011 22:54:41 GMT

hmmm...at its present state that will capture only the first three octets of an IP address.