I have a field I am trying to split into new fields and it's not taking. The strings look similar to this- "AV:N/AC:P/PR:X" and I'm trying to extract the vector to equal just the first values (AV:N). I am trying to extract each part between the slashes (var1= AV:N, var2=AC:P) but am not sure why it's not taking. My props.conf below, any help with the regex or why this may not be working is greatly appreciated!
[sourcetype]
EXTRACT-vector = AV:(?<field_trying_to_extract_from>\w+)
[sourcetype]
Eval-vector = case(vector="AV:N", "Network", vector="AV:A", "Adjacent", vector="AV:L", "Local", vector="AV:P", "Physical")
Hmm, that didn't seem to fix the issue. I had been using the following case statements in the UI for dashboard queries as a temporary solution. Is there a way to convert the following into something extractable/usable in props.conf? It seems since eval doesn't take wild characters the case statement won't work the way you mentioned in props.conf until the calculated fields are successfully split by their slashes.
| eval vecs=split(field_to_extract_from,"/")
| eval C=mvindex(vecs,5)
| eval I=mvindex(vecs,6)
| eval A=mvindex(vecs,7)
| eval DCO=case(C = "C:H", "High", C="C:M", "Moderate", C="C:L", "Low", C="C:N", "None")
I'm also getting this error on restart for the Eval commands if this is helpful as well-
Checking conf files for problems...
Invalid key in stanza
[sourcetype] in /opt/splunk/etc/apps/app/local/props.conf, line 14: Eval-Attack_Vector (value: case(Attack_Vector="AV:N", "Network", Attack_Vector="AV:A")).
In EXTRACT, the string following "EXTRACT-" is just a label, not a field. The capture group in the regex specifies the name of the field to extract. The field to extract FROM is _raw by default or can be specified by the in keyword.
EXTRACT-vector = AV:(?<vector>\w+) in field_trying_to_extract_from
The field name used in the EVAL must match that extracted by EXTRACT.