https://community.splunk.com/t5/Splunk-Search/transforms-with-SOURCE-KEY-using-FIELDS/m-p/260563#M78169 <P>Dataset</P> <P>10.24.11.102 - user1 [10/Sep/2016:02:46:12 -0400] "GET <A href="http://www.foo.org:80/lib/stone/csrf/token.json" target="_blank">http://www.foo.org:80/lib/stone/csrf/token.json</A> HTTP/1.1" 200 393<BR /> 10.32.52.18 - user2 [10/Sep/2016:02:28:21 -0400] "GET <A href="https://aaa.idm.purple.org:8443/login" target="_blank">https://aaa.idm.purple.org:8443/login</A> HTTP/1.1" 200 2049<BR /> 10.210.18.17 - - [10/Sep/2016:00:10:57 -0400] "GET <A href="http://explore.google.org/robots.txt" target="_blank">http://explore.google.org/robots.txt</A> HTTP/1.1" 200 2049<BR /> 10.31.2.124 - user3 [09/Sep/2016:21:04:47 -0400] "POST <A href="http://bar.tree.com:80/authn-callback" target="_blank">http://bar.tree.com:80/authn-callback</A> HTTP/1.1" 200 1562</P> <P>When I search for <BR /> index=library sourcetype=proxy_access</P> <P>I do not get back ** <EM>method,url,protocol</EM> ** which would come from ** data_from_method_url**</P> <P>When I search for </P> <P>index=library sourcetype=proxy_access | extract reload=T<BR /> | extract ProzyData<BR /> | extract data_from_method_url</P> <P><STRONG>method, url, and protocol are all extracted correctly.</STRONG></P> <P>The first extraction REPORT-Extract is working as I get all of the expected fields.<BR /> GET <A href="http://www.foo.org:80/lib/stone/csrf/token.json" target="_blank">http://www.foo.org:80/lib/stone/csrf/token.json</A> HTTP/1.1<BR /> GET <A href="https://aaa.idm.purple.org:8443/login" target="_blank">https://aaa.idm.purple.org:8443/login</A> HTTP/1.1<BR /> GET <A href="http://explore.google.org/robots.txt" target="_blank">http://explore.google.org/robots.txt</A> HTTP/1.1<BR /> POST <A href="http://bar.tree.com:80/authn-callback" target="_blank">http://bar.tree.com:80/authn-callback</A> HTTP/1.1</P> <P>How do I get the method, url, and protocol to extract using the props and transforms.</P> <P>I have done many version of these files, but this is how they currently read.</P> <PRE><CODE>props.conf [proxy_access] REPORT-Extract = ProzyData description = Access Logs KV_MODE = none [pull_from_method_url] REPORT-method_from_method_url = data_from_method_url </CODE></PRE> <HR /> <PRE><CODE>transforms.conf [ProzyData] DELIMS = " " FIELDS = "src_ip","Unknown","user","datetime","timeoffset","method_url","responce","bytes" ################ extract from source_key ############# [data_from_method_url] SOURCE_KEY = method_url DELIMS = " " FIELDS = method,url,protocol </CODE></PRE> Tue, 29 Sep 2020 11:28:11 GMT willamwar 2020-09-29T11:28:11Z https://community.splunk.com/t5/Splunk-Search/transforms-with-SOURCE-KEY-using-FIELDS/m-p/260563#M78169 <P>Dataset</P> <P>10.24.11.102 - user1 [10/Sep/2016:02:46:12 -0400] "GET <A href="http://www.foo.org:80/lib/stone/csrf/token.json" target="_blank">http://www.foo.org:80/lib/stone/csrf/token.json</A> HTTP/1.1" 200 393<BR /> 10.32.52.18 - user2 [10/Sep/2016:02:28:21 -0400] "GET <A href="https://aaa.idm.purple.org:8443/login" target="_blank">https://aaa.idm.purple.org:8443/login</A> HTTP/1.1" 200 2049<BR /> 10.210.18.17 - - [10/Sep/2016:00:10:57 -0400] "GET <A href="http://explore.google.org/robots.txt" target="_blank">http://explore.google.org/robots.txt</A> HTTP/1.1" 200 2049<BR /> 10.31.2.124 - user3 [09/Sep/2016:21:04:47 -0400] "POST <A href="http://bar.tree.com:80/authn-callback" target="_blank">http://bar.tree.com:80/authn-callback</A> HTTP/1.1" 200 1562</P> <P>When I search for <BR /> index=library sourcetype=proxy_access</P> <P>I do not get back ** <EM>method,url,protocol</EM> ** which would come from ** data_from_method_url**</P> <P>When I search for </P> <P>index=library sourcetype=proxy_access | extract reload=T<BR /> | extract ProzyData<BR /> | extract data_from_method_url</P> <P><STRONG>method, url, and protocol are all extracted correctly.</STRONG></P> <P>The first extraction REPORT-Extract is working as I get all of the expected fields.<BR /> GET <A href="http://www.foo.org:80/lib/stone/csrf/token.json" target="_blank">http://www.foo.org:80/lib/stone/csrf/token.json</A> HTTP/1.1<BR /> GET <A href="https://aaa.idm.purple.org:8443/login" target="_blank">https://aaa.idm.purple.org:8443/login</A> HTTP/1.1<BR /> GET <A href="http://explore.google.org/robots.txt" target="_blank">http://explore.google.org/robots.txt</A> HTTP/1.1<BR /> POST <A href="http://bar.tree.com:80/authn-callback" target="_blank">http://bar.tree.com:80/authn-callback</A> HTTP/1.1</P> <P>How do I get the method, url, and protocol to extract using the props and transforms.</P> <P>I have done many version of these files, but this is how they currently read.</P> <PRE><CODE>props.conf [proxy_access] REPORT-Extract = ProzyData description = Access Logs KV_MODE = none [pull_from_method_url] REPORT-method_from_method_url = data_from_method_url </CODE></PRE> <HR /> <PRE><CODE>transforms.conf [ProzyData] DELIMS = " " FIELDS = "src_ip","Unknown","user","datetime","timeoffset","method_url","responce","bytes" ################ extract from source_key ############# [data_from_method_url] SOURCE_KEY = method_url DELIMS = " " FIELDS = method,url,protocol </CODE></PRE> Tue, 29 Sep 2020 11:28:11 GMT https://community.splunk.com/t5/Splunk-Search/transforms-with-SOURCE-KEY-using-FIELDS/m-p/260563#M78169 willamwar 2020-09-29T11:28:11Z https://community.splunk.com/t5/Splunk-Search/transforms-with-SOURCE-KEY-using-FIELDS/m-p/260564#M78170 <P>In your props.conf you have a stanza named <EM>pull_from_method_url</EM>. This settings under here should be under the same stanza at the other transform, <EM>proxy_access</EM>, as this is the sourcetype of your data. Stanza headings should be either sourcetype, source or host - unless I am misunderstanding and your data does have the sourcetype of <EM>pull_from_method_url</EM>?</P> Tue, 29 Sep 2020 11:33:15 GMT https://community.splunk.com/t5/Splunk-Search/transforms-with-SOURCE-KEY-using-FIELDS/m-p/260564#M78170 lquinn 2020-09-29T11:33:15Z