topic Re: How to extract field values from another field using transforms.conf and props.conf? in Splunk Search

How to extract field values from another field using transforms.conf and props.conf?

edrivera3 — Mon, 28 Sep 2020 20:01:03 GMT

Hi
I am trying to extract the field "block_num" from the field "block" during search-time. I've already extracted the field "block" correctly. I also tried this block_num extraction in the search app and it worked correctly. This is what I got:

transforms.conf:
[mvfield_block_num]
REGEX = Start-End\sSteps:\s(?<block_num>\d+-\d+)
SOURCE_KEY = fields:block
MV_ADD = true

props.conf
[tirfiles]
REPORT-block_num = mvfield_block_num

Re: How to extract field values from another field using transforms.conf and props.conf?

woodcock — Wed, 20 May 2015 20:22:29 GMT

Use this instead:

SOURCE_KEY = block

Re: How to extract field values from another field using transforms.conf and props.conf?

edrivera3 — Wed, 20 May 2015 20:27:15 GMT

I tried it, but it doesn't extract anything.

Re: How to extract field values from another field using transforms.conf and props.conf?

edrivera3 — Wed, 20 May 2015 20:36:24 GMT

I forgot to mention that "block" is a multi value field.

Re: How to extract field values from another field using transforms.conf and props.conf?

jacobwilkins — Mon, 28 Sep 2020 20:01:06 GMT

How is the block field being extracted? You'd only use the fields: syntax if it were extracted with an INDEXED_EXTRACTIONS directive on the forwarder.

If it is being auto-extracted via KV_MODE, then you probably can't use it as a source key.

If you had a transform called [extract_block] that did the search-time extraction for that field, you'd want your props to look like this:

[tirfiles]
REPORT-block = extract_block, mvfield_block_num

This would be easier to answer if we had a bigger picture of your config, and a good sample of what was being extracted into block.

Re: How to extract field values from another field using transforms.conf and props.conf?

woodcock — Wed, 20 May 2015 20:41:27 GMT

There is nothing more to say unless you post sample events.

Re: How to extract field values from another field using transforms.conf and props.conf?

edrivera3 — Mon, 28 Sep 2020 20:01:08 GMT

Ok.
Block is a multi-value field and it is extracted in search-time:

[tirfiles]
REPORT-step_block = mvfield_step_block

[mvfield_step_block]
REGEX = ---\n(?<block>Block\sStatus[\w\W\n]{1,20000}?)----\n
MV_ADD = true

Re: How to extract field values from another field using transforms.conf and props.conf?

edrivera3 — Mon, 28 Sep 2020 20:01:11 GMT

I changed props.conf to REPORT-step_block = mvfield_step_block, mvfield_block_num and it worked correctly. Thank you.