Index time field extraction from another field

rahiparikh — Mon, 07 Nov 2011 22:24:38 GMT

Hi,

I have two fields. Let's say they are field1 and field2. I extract field2 from field1. I also remove some part of field1 to give it appropriate value. Now, if I don't correct value of field1, I get field2. But, if I don't correct field1, I don't get field2 at all.

[transforms.conf]

[autocorrect_field1] SOURCE_KEY = field1 REGEX = (<regex1>)(<regex2>)(<regex3>) DEST_KEY = field1 WRITE_META = true FORMAT = field1::$1$3

[extract_field2] SOURCE_KEY = field1 REGEX = (<regex1>)(<regex2.1>)(<regex2.2>)(<regex3>) DEST_KEY = field2 FORMAT = field2::$2 WRITE_META = true

I have also set 101 priority for field2 in props.conf. What is the issue?

Thanks!

Re: Index time field extraction from another field

woodcock — Fri, 29 May 2015 23:59:21 GMT

Your props.conf needs to specify them in the correct order like this:

TRANSFORMS-correct = autocorrect_field1, extract_field2

Instead of what you are currently doing:

TRANSFORMS-wrong= extract_field2, autocorrect_field1

topic Re: Index time field extraction from another field in Splunk Search

Index time field extraction from another field

Re: Index time field extraction from another field