https://community.splunk.com/t5/Splunk-Search/rex-command-to-regex-in-transforms-conf/m-p/184541#M53158 <P>Assuming this is a search time extraction, you simply need to identify the field to "look" at as SOURCE_KEY (if you omit that, the default SOURCE_KEY is _raw<BR /> The regex is fine as, is. Since you are extracting a field and not asking Splunk to produce the key value pair dynamically... you specify it in the regex as you've done... and then you can, for documentation, specify the format.</P> <P><CODE><BR /> [procname]<BR /> SOURCE_KEY = source<BR /> REGEX = 3......(?P<PROCNAME>.+?)rly<BR /> FORMAT = procname::$1<BR /> </PROCNAME></CODE></P> <P>Be sure to call the stanza, procname, in my example from a REPORT- directive in the props.conf</P> <P>The transforms.conf spec <A href="http://docs.splunk.com/Documentation/Splunk/6.1.1/Admin/Transformsconf" target="newWindow">here</A> shows a slightly different example, where the SOURCE_KEY defaults to raw and the transform is actually renaming the KEY of a KEY value pair already in the data... but it's the same principal.</P> <P><CODE><BR /> [netscreen-error-field]<BR /> REGEX = device_id=[w+](?<ERR>[^:]+)<BR /> FORMAT = err_code::$1<BR /> </ERR></CODE></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.1/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles" target="other">Here</A> is a complete walk through all sorts of search time extractions using props.conf and transforms.conf for reference.</P> Sat, 31 May 2014 15:15:37 GMT rsennett_splunk 2014-05-31T15:15:37Z https://community.splunk.com/t5/Splunk-Search/rex-command-to-regex-in-transforms-conf/m-p/184540#M53157 <P>This rex statement works in search command: rex field=source "3......(?P<PROCNAME>.+?)rly"<BR /> I would like to convert it into REGEX statement in transforms.conf file.<BR /> What should be the REGEX statement?</PROCNAME></P> <P>Thanks in advanced.</P> Fri, 30 May 2014 23:29:06 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-to-regex-in-transforms-conf/m-p/184540#M53157 ch_goh 2014-05-30T23:29:06Z https://community.splunk.com/t5/Splunk-Search/rex-command-to-regex-in-transforms-conf/m-p/184541#M53158 <P>Assuming this is a search time extraction, you simply need to identify the field to "look" at as SOURCE_KEY (if you omit that, the default SOURCE_KEY is _raw<BR /> The regex is fine as, is. Since you are extracting a field and not asking Splunk to produce the key value pair dynamically... you specify it in the regex as you've done... and then you can, for documentation, specify the format.</P> <P><CODE><BR /> [procname]<BR /> SOURCE_KEY = source<BR /> REGEX = 3......(?P<PROCNAME>.+?)rly<BR /> FORMAT = procname::$1<BR /> </PROCNAME></CODE></P> <P>Be sure to call the stanza, procname, in my example from a REPORT- directive in the props.conf</P> <P>The transforms.conf spec <A href="http://docs.splunk.com/Documentation/Splunk/6.1.1/Admin/Transformsconf" target="newWindow">here</A> shows a slightly different example, where the SOURCE_KEY defaults to raw and the transform is actually renaming the KEY of a KEY value pair already in the data... but it's the same principal.</P> <P><CODE><BR /> [netscreen-error-field]<BR /> REGEX = device_id=[w+](?<ERR>[^:]+)<BR /> FORMAT = err_code::$1<BR /> </ERR></CODE></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.1/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles" target="other">Here</A> is a complete walk through all sorts of search time extractions using props.conf and transforms.conf for reference.</P> Sat, 31 May 2014 15:15:37 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-to-regex-in-transforms-conf/m-p/184541#M53158 rsennett_splunk 2014-05-31T15:15:37Z https://community.splunk.com/t5/Splunk-Search/rex-command-to-regex-in-transforms-conf/m-p/184542#M53159 <P>I'd also suggest <A href="http://docs.splunk.com/Documentation/Splunk/6.1/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles">this page</A>. It's a nice, easy walkthrough of using transforms.conf and props.conf for field extractions.</P> Sat, 31 May 2014 15:43:29 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-to-regex-in-transforms-conf/m-p/184542#M53159 wpreston 2014-05-31T15:43:29Z https://community.splunk.com/t5/Splunk-Search/rex-command-to-regex-in-transforms-conf/m-p/184543#M53160 <P>Thanks. But Splunk doesn't pick it up. Here is what I have in props.conf and transforms.conf.</P> <P>props.conf:<BR /> [source::/logs/dxserver/3*_query_*.log]<BR /> REPORT-queryLog = dsaname </P> <P>transforms.conf:<BR /> [dsaname]<BR /> SOURCE_KEY = source<BR /> REGEX = 3......(?P<DSANAME>.+?)rly<BR /> FORMAT = dsaname::$1</DSANAME></P> <P>Example of the source field = "/logs/dxserver/3wtxq20corerly1_query_20140601.log". I expect the dsaname field equals to 'core' (without the qoute).</P> <P>Any syntax or format errors? <BR /> Thanks.</P> Mon, 02 Jun 2014 17:48:22 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-to-regex-in-transforms-conf/m-p/184543#M53160 ch_goh 2014-06-02T17:48:22Z