topic Re: Can you extract from a field that was extracted in the same stanza? in Splunk Search

Can you extract from a field that was extracted in the same stanza?

sillingworth — Tue, 29 Sep 2020 14:17:58 GMT

Using the docs here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Propsconf, specifically this section:

* Use '<regex> in <src_field>' to match the regex against the values of a
  specific field.  Otherwise it just matches against _raw (all raw event
  data).

I came up with this:

EXTRACT-metric_parts = : (<metric type=".*?" name=")?(?<metric_path>.*?):(?<metric_name>.*?)[="]( value=")?(?<value>.*?)[" ]
EXTRACT-test = (?<metric_test>.*) in metric_path

All the field extractions in metric_parts work fine, but metric_test doesn't appear (it should be a duplicate of metric_path, according to my understanding of the readme).

Is there a limitation I'm missing here? Can src_field only be one of the automatic fields like source?

Re: Can you extract from a field that was extracted in the same stanza?

micahkemp — Thu, 01 Jun 2017 14:27:29 GMT

Though the documentation doesn't state this, I wonder if only works for indexed fields. Try setting it to source and see if that gives any results.

If that's the issue, you can use a transform and make use of the SOURCE_KEY directive instead to accomplish what you want.

Re: Can you extract from a field that was extracted in the same stanza?

woodcock — Thu, 01 Jun 2017 20:24:09 GMT

Switch from Extract to Report in props.conf:

REPORT-ArbitraryButUniqueStringHere = metric_parts, test

Then in transforms.conf this:

[metric_parts]
REGEX = (<metric type=".*?" name=")?(?<metric_path>.*?):(?<metric_name>.*?)[="]( value=")?(?<value>.*?)[" ]
[test]
SOURCE_KEY = metric_path
REGEX = (?<metric_test>.*)

Re: Can you extract from a field that was extracted in the same stanza?

woodcock — Thu, 01 Jun 2017 20:26:29 GMT

It appears that you need it named twice so you can use fieldalias for that:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields

Re: Can you extract from a field that was extracted in the same stanza?

sillingworth — Fri, 02 Jun 2017 11:39:09 GMT

The extractions in the question are actually correct, but it seems a full refresh isn't enough to pull in the updated props.conf (I have no idea why).

Sticking | extract reload=true on the end of my search revealed the new fields.

Re: Can you extract from a field that was extracted in the same stanza?

sillingworth — Fri, 02 Jun 2017 11:40:10 GMT

Thanks for the answers guys. Turns out though what I have above works, once you reload the extracts with | extract reload=true. Added as an answer.

Re: Can you extract from a field that was extracted in the same stanza?

sillingworth — Fri, 02 Jun 2017 13:13:05 GMT

Actually scratch that. The original config started working for me, which I put down to the reload=true, but if I then add a third line extracting a field from within metric_test it still doesn't appear, whereas if I add it based on _raw it does.

I wonder if something is required to make Splunk aware that it can use metric_test as the source field.

Re: Can you extract from a field that was extracted in the same stanza?

sillingworth — Mon, 05 Jun 2017 14:55:10 GMT

What's the reason it has to be done that way? The docs suggest it's doable in extract.

Re: Can you extract from a field that was extracted in the same stanza?

woodcock — Tue, 06 Jun 2017 05:16:20 GMT

Evert EXTRACT happen simultaneously, as does every SEDCMD and many other things, but REPORT and TRANSFORMS can be serialized.