All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field Extractions Not Working in props.conf - Split Field by slashes

astackpole
Path Finder
‎09-02-2020 07:52 AM

I have a field I am trying to split into new fields and it's not taking. The strings look similar to this- "AV:N/AC:P/PR:X" and I'm trying to extract the vector to equal just the first values (AV:N). I am trying to extract each part between the slashes (var1= AV:N, var2=AC:P) but am not sure why it's not taking. My props.conf below, any help with the regex or why this may not be working is greatly appreciated!

 

[sourcetype]
EXTRACT-vector = AV:(?<field_trying_to_extract_from>\w+)

[sourcetype]
Eval-vector = case(vector="AV:N", "Network", vector="AV:A", "Adjacent", vector="AV:L", "Local", vector="AV:P", "Physical")

Labels (1)
Labels
0 Karma
Reply

astackpole
Path Finder
‎09-02-2020 08:56 AM

Hmm, that didn't seem to fix the issue. I had been using the following case statements in the UI for dashboard queries as a temporary solution. Is there a way to convert the following into something extractable/usable in props.conf? It seems since eval doesn't take wild characters the case statement won't work the way you mentioned in props.conf until the calculated fields are successfully split by their slashes.

 

| eval vecs=split(field_to_extract_from,"/")
| eval C=mvindex(vecs,5)
| eval I=mvindex(vecs,6)
| eval A=mvindex(vecs,7)
| eval DCO=case(C = "C:H", "High", C="C:M", "Moderate", C="C:L", "Low", C="C:N", "None")

0 Karma
Reply

astackpole
Path Finder
‎09-02-2020 10:03 AM

I'm also getting this error on restart for the Eval commands if this is helpful as well-
Checking conf files for problems...
Invalid key in stanza
[sourcetype] in /opt/splunk/etc/apps/app/local/props.conf, line 14: Eval-Attack_Vector (value: case(Attack_Vector="AV:N", "Network", Attack_Vector="AV:A")).

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-02-2020 08:15 AM

In EXTRACT, the string following "EXTRACT-" is just a label, not a field.  The capture group in the regex specifies the name of the field to extract.  The field to extract FROM is _raw by default or can be specified by the in keyword.

EXTRACT-vector = AV:(?<vector>\w+) in field_trying_to_extract_from

The field name used in the EVAL must match that extracted by EXTRACT.

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...