topic Re: Props and Transforms report field extractions not working in Splunk Search

Props and Transforms report field extractions not working

dflodstrom — Tue, 07 Apr 2015 19:41:23 GMT

I am trying to configure props/transforms in a custom TA to perform some search-time field extractions for a custom event source. I have no issues creating the REGEX extraction in props.conf but when I try to use my REGEX as a report in transforms I don't have any luck.

in metadata/default.meta I have this:

 []
    access = read : [ * ], write : [ admin ]
    export = system

In props.conf I have:

  [sourcetype]
    REPORT-fields = fields_extract

In transforms.conf I have:

 [fields_extract]
    REGEX = regex(?<field1>\S+)\s(?<field2>\S+)

Background: I need to extract and name the fields for this sourcetype. Some events which describe errors contain fields within the data that don't exist in other events. My plan is to have one regex that works on every event and another regex that matches starting on the error description to pull out the extra fields. I understand how to call two reports on one line but for some reason I can't get my extraction to work in transforms, only in props.

Re: Props and Transforms report field extractions not working

rsennett_splunk — Tue, 07 Apr 2015 19:52:27 GMT

You probably want to add the FORMAT to our transforms stanza, and your syntax for the regex is odd... unless your data really is prefixed by the characters r e g e x that's what you're telling it.

Since you seem to have values and no keys it would look like this:

[fields_extract]
REGEX=(?<field1>\S+)\s(?<field2>\S+)
FORMAT = first_Field::$1 second_Field::$2

Re: Props and Transforms report field extractions not working

dflodstrom — Wed, 08 Apr 2015 12:46:48 GMT

I should have mentioned that my 'regex' was only to use as an example. I have an actual regex string in there that worked just fine when I had it in props.conf.

I thought my syntax of (?) meant that I didn't have to use the FORMAT parameter. I will give this a try and get right back!

Re: Props and Transforms report field extractions not working

dflodstrom — Wed, 08 Apr 2015 15:28:11 GMT

My solution was a sad case of fat fingers. Thanks @rsennett_splunk for having a look. I've sent you 10 points.

Re: Props and Transforms report field extractions not working

dflodstrom — Wed, 08 Apr 2015 15:29:32 GMT

Mods can close this question. The solution wasn't Splunk related. I've awarded points to @rsennett_splunk for contributing.

Re: Props and Transforms report field extractions not working

rsennett_splunk — Wed, 08 Apr 2015 16:59:28 GMT

Ha. awesome. thank you!

Re: Props and Transforms report field extractions not working

landen99 — Thu, 10 Sep 2015 17:38:32 GMT

You don't need FORMAT when you use

(?<myfield>.)