https://community.splunk.com/t5/Splunk-Search/How-to-copy-paste-a-regex-into-splunk/m-p/107221#M27874 <P>My ultimate goal is to create a regex expression that can be used use to extract fields from any record made up comma-seperated fields. For example, if a normal event looks like this:</P> <BLOCKQUOTE> <P>"RADSP01HDQRW","IAS",04/02/2012,16:14:38,2,,"RETAIL\HH01-9002",,,,,,,,0,"10.170.191.48"</P> </BLOCKQUOTE> <P>it will always contain 15 commas, therefore 16 fields.</P> <P>I created the regex expression below and tested it with UltraEditPro. </P> <BLOCKQUOTE> <P>[^,]<EM>(?=(,[^,]</EM>){15,15}$)</P> </BLOCKQUOTE> <P>It will find the 1st field. In order to make it find the 2nd field I simply replace (15,15) with (14,14).</P> <P>Everything looked great in UltraEdit but when I pasted it into the Field Extraction UI<BR /> it complained... </P> <BLOCKQUOTE> <P>Invalid regex: no named extraction at position 7 (i.e., "=(,[^,]*){..."). Expected "(?P<VARIABLE>pattern)"</VARIABLE></P> </BLOCKQUOTE> <P>I tried various combinations before thinking surely someone else has already tackled this problem... so here's hoping!</P> Mon, 02 Apr 2012 20:38:06 GMT mikefoti 2012-04-02T20:38:06Z https://community.splunk.com/t5/Splunk-Search/How-to-copy-paste-a-regex-into-splunk/m-p/107221#M27874 <P>My ultimate goal is to create a regex expression that can be used use to extract fields from any record made up comma-seperated fields. For example, if a normal event looks like this:</P> <BLOCKQUOTE> <P>"RADSP01HDQRW","IAS",04/02/2012,16:14:38,2,,"RETAIL\HH01-9002",,,,,,,,0,"10.170.191.48"</P> </BLOCKQUOTE> <P>it will always contain 15 commas, therefore 16 fields.</P> <P>I created the regex expression below and tested it with UltraEditPro. </P> <BLOCKQUOTE> <P>[^,]<EM>(?=(,[^,]</EM>){15,15}$)</P> </BLOCKQUOTE> <P>It will find the 1st field. In order to make it find the 2nd field I simply replace (15,15) with (14,14).</P> <P>Everything looked great in UltraEdit but when I pasted it into the Field Extraction UI<BR /> it complained... </P> <BLOCKQUOTE> <P>Invalid regex: no named extraction at position 7 (i.e., "=(,[^,]*){..."). Expected "(?P<VARIABLE>pattern)"</VARIABLE></P> </BLOCKQUOTE> <P>I tried various combinations before thinking surely someone else has already tackled this problem... so here's hoping!</P> Mon, 02 Apr 2012 20:38:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-copy-paste-a-regex-into-splunk/m-p/107221#M27874 mikefoti 2012-04-02T20:38:06Z https://community.splunk.com/t5/Splunk-Search/How-to-copy-paste-a-regex-into-splunk/m-p/107222#M27875 <P>Since you have a delimiter that is separating your fields then I would take a look at the following:</P> <P>$SPLUNK_HOME/etc/system/local/props.conf</P> <PRE><CODE>[data] REPORT-fieldextract = fieldextract </CODE></PRE> <P>$SPLUNK_HOME/etc/system/local/transforms.conf </P> <PRE><CODE>[fieldextract] DELIMS = "," FIELDS = field1,field2,field3,...field16 </CODE></PRE> <P>Remember that this field extraction happens at index time so this will only work for the latest data. </P> <P>Here is a link to more information:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.1/Admin/Transformsconf">http://docs.splunk.com/Documentation/Splunk/4.3.1/Admin/Transformsconf</A></P> Mon, 02 Apr 2012 20:57:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-copy-paste-a-regex-into-splunk/m-p/107222#M27875 tgow 2012-04-02T20:57:02Z https://community.splunk.com/t5/Splunk-Search/How-to-copy-paste-a-regex-into-splunk/m-p/107223#M27876 <P>Thanks for the reply. I read the props and transforms documentation and am unclear if the edits need to be in these files on the indexer or the UF.</P> <P>Also, if I want to extract the csv fields only for sourcetype=foo, does this look right?</P> <P>Props.conf [sourcetype::foo]<BR /> report_radius=extract_radius_CSV</P> <P>Transforms.conf: [extract_radius_CSV]<BR /> DELIMS=”,”<BR /> FIELDS=”nps_svrName”,”nps_svcName”,”nps_Date”,”nps_Time”,”nps_packetType,”nps_userName”,”nps_userFQDN”,”nps_calledStation”,”nps_callingStation”</P> Mon, 28 Sep 2020 11:38:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-copy-paste-a-regex-into-splunk/m-p/107223#M27876 mikefoti 2020-09-28T11:38:07Z https://community.splunk.com/t5/Splunk-Search/How-to-copy-paste-a-regex-into-splunk/m-p/107224#M27877 <P>Fields extractions are on the search head then if your indexer is the search head too then you should put it there.<BR /> Your sencond extraction via delims looks right.</P> Fri, 06 Apr 2012 05:32:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-copy-paste-a-regex-into-splunk/m-p/107224#M27877 MarioM 2012-04-06T05:32:22Z