https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-to-extract-a-field-where-the-regular/m-p/227182#M67081 <P>For one sourcetype/source, do you've pid in different places? If in one sourcetype/source, the location/pattern/regex for pid is same, you just to need to create one REPORT with same field name (may be different regex) for each sourcetype/source. Also, there might be a way to create a single regex to accommodate all possible scenarios of pid location, but will depend upon the logs. Could you share a sample entry for each of the variations where pid can exists?</P> Wed, 11 Jan 2017 20:13:07 GMT somesoni2 2017-01-11T20:13:07Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-to-extract-a-field-where-the-regular/m-p/227181#M67080 <P>I'm having trouble finding a good solution for extracting a "pid" type value that exists in a uri structure but in different locations depending on the sourcetype. The transform performing the extraction depends on other transforms as well.</P> <P>For instance, we have this all encompassing stanza in props.conf that extracts a bunch of fields for all "web" type logs:</P> <BLOCKQUOTE> <P>[(?:::){0}*-web]<BR /> KV_MODE=none<BR /> REPORT-webservice-extractions = webservice-base-extract, webservice-base-extract-request, webservice-base-extract-uri<BR /> uri depends on request which depends on the base extract. Now this works fine for most of our web logs, but there are several where that webservice-base-extract-uri transform cannot match the regex on because the uri changes structure and thus the location of the pid changes. There's no fancy regex I can create that would be able to detect this because the only good way to find the pid is to go to a certain "level" deep in the uri. So I figure my only real option here is to create new stanzas for those specific sourcetypes, and use different transforms that basically duplicate all the fields from webservice-base-extract and webservice-base-extract-request and then use a different regex for the final uri extract. For example:</P> <P>[source::/var/log/SomeSourceTypeA-web.log]<BR /> KV_MODE=none<BR /> REPORT-webservice-extractions-SomeSourceTypeA = SomeSourceTypeA-base-extract, SomeSourceTypeA-base-extract-request, SomeSourceTypeA-base-extract-uri</P> <P>[source::/var/log/SomeSourceTypeB-web.log]<BR /> KV_MODE=none<BR /> REPORT-webservice-extractions-SomeSourceTypeB = SomeSourceTypeB-base-extract, SomeSourceTypeB-base-extract-request, SomeSourceTypeB-base-extract-uri<BR /> And so on and so on for each of these logs where the the uri structure is different. The issue I have with this is I am going to have to duplicate so many fields just to get to that final uri extract because to my knowledge I wouldn't want to be using the same fields on different stanzas. For example:</P> <P>[source::/var/log/SomeSourceTypeB-web.log]<BR /> KV_MODE=none<BR /> REPORT-webservice-extractions-SomeSourceTypeB = webservice-base-extract, webservice-base-extract-request, SomeSourceTypeB-base-extract-uri<BR /> The thing is ideally the above stanza is what I would like to do in essence since I would be using the same fields and not duplicating, and only having the difference being the logic used for that final uri extract.</P> </BLOCKQUOTE> <P>I don't suppose anyone has any suggestions on the "cleanest" way I could accomplish this? Hopefully I've explained the situation properly, let me know if I can clarify anything. We are on Splunk 6.4.0.</P> Wed, 11 Jan 2017 19:16:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-to-extract-a-field-where-the-regular/m-p/227181#M67080 briancronrath 2017-01-11T19:16:08Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-to-extract-a-field-where-the-regular/m-p/227182#M67081 <P>For one sourcetype/source, do you've pid in different places? If in one sourcetype/source, the location/pattern/regex for pid is same, you just to need to create one REPORT with same field name (may be different regex) for each sourcetype/source. Also, there might be a way to create a single regex to accommodate all possible scenarios of pid location, but will depend upon the logs. Could you share a sample entry for each of the variations where pid can exists?</P> Wed, 11 Jan 2017 20:13:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-to-extract-a-field-where-the-regular/m-p/227182#M67081 somesoni2 2017-01-11T20:13:07Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-to-extract-a-field-where-the-regular/m-p/227183#M67082 <P>Sorry everyone, turns out I was overcomplicating things. As long as I had all the same base extractions in my one-off stanzas, it actually worked just fine and the field names being the same turned out to not be an issue! So that final stanza works just fine that I posted in my original question.</P> Wed, 11 Jan 2017 20:50:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-to-extract-a-field-where-the-regular/m-p/227183#M67082 briancronrath 2017-01-11T20:50:47Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-to-extract-a-field-where-the-regular/m-p/227184#M67083 <P>Hi briancronrath - Just making sure your answer provided is the solution to your question? If yes, please don't forget to click "Accept" so others will know it's resolved <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Thanks!</P> Sun, 22 Jan 2017 03:39:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-to-extract-a-field-where-the-regular/m-p/227184#M67083 aaraneta_splunk 2017-01-22T03:39:48Z