All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field Extractions Not Working in props.conf - Split Field by slashes

astackpole
Path Finder
‎09-02-2020 07:52 AM

I have a field I am trying to split into new fields and it's not taking. The strings look similar to this- "AV:N/AC:P/PR:X" and I'm trying to extract the vector to equal just the first values (AV:N). I am trying to extract each part between the slashes (var1= AV:N, var2=AC:P) but am not sure why it's not taking. My props.conf below, any help with the regex or why this may not be working is greatly appreciated!

 

[sourcetype]
EXTRACT-vector = AV:(?<field_trying_to_extract_from>\w+)

[sourcetype]
Eval-vector = case(vector="AV:N", "Network", vector="AV:A", "Adjacent", vector="AV:L", "Local", vector="AV:P", "Physical")

Labels (1)
Labels
0 Karma
Reply

astackpole
Path Finder
‎09-02-2020 08:56 AM

Hmm, that didn't seem to fix the issue. I had been using the following case statements in the UI for dashboard queries as a temporary solution. Is there a way to convert the following into something extractable/usable in props.conf? It seems since eval doesn't take wild characters the case statement won't work the way you mentioned in props.conf until the calculated fields are successfully split by their slashes.

 

| eval vecs=split(field_to_extract_from,"/")
| eval C=mvindex(vecs,5)
| eval I=mvindex(vecs,6)
| eval A=mvindex(vecs,7)
| eval DCO=case(C = "C:H", "High", C="C:M", "Moderate", C="C:L", "Low", C="C:N", "None")

0 Karma
Reply

astackpole
Path Finder
‎09-02-2020 10:03 AM

I'm also getting this error on restart for the Eval commands if this is helpful as well-
Checking conf files for problems...
Invalid key in stanza
[sourcetype] in /opt/splunk/etc/apps/app/local/props.conf, line 14: Eval-Attack_Vector (value: case(Attack_Vector="AV:N", "Network", Attack_Vector="AV:A")).

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-02-2020 08:15 AM

In EXTRACT, the string following "EXTRACT-" is just a label, not a field.  The capture group in the regex specifies the name of the field to extract.  The field to extract FROM is _raw by default or can be specified by the in keyword.

EXTRACT-vector = AV:(?<vector>\w+) in field_trying_to_extract_from

The field name used in the EVAL must match that extracted by EXTRACT.

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...