Solved: Issue extracting field from host metadata

john_byun · ‎10-07-2013

I am able to successfully extract the field at search time from the "host" field using rex with the following:

source="XXX" | rex field=host s(?P<storeNo>\d\d\d)store

When I try to add this using the Interactive Field Extractor and test it, it does not work. When I run a test, I can see that it adds quotations. The search below with quotes does not work.

source="XXX" | rex "field=host s(?P<storeNo>\d\d\d)store"

It looks like this in the props.conf file:

EXTRACT-storeNo = field=host s(?P<storeNo>\d\d\d)store

How do I make this a persistent field?

kristian_kolb · ‎10-07-2013

You should a few sample events containing the string you want to extract.

The rex statement should have the starting double quote after the field=fieldname specification. You seem to have noted that your config didn't work.

Probably the props.conf config should be;

EXTRACT-blah = \ss(?<storeNo>\d\d\d)store\s in host

From the docs regarding props.conf

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

EXTRACT-<name> = [<regex>|<regex> in <src_field>] * Used to create extracted fields (search-time field extractions) that do not reference transforms.conf stanzas. * Performs a regex-based field extraction from the value of the source field. * The <regex> is required to have named capturing groups. When the <regex> matches, the named capturing groups and their values are added to the event. * Use '<regex> in <src_field>' to match the regex against the values of a specific field. Otherwise it just matches against _raw (all raw event data). * NOTE: <src_field> can only contain alphanumeric characters (a-z, A-Z, and 0-9). * If your regex needs to end with 'in <string>' where <string> is *not* a field name, change the regex to end with '[i]n <string>' to ensure that Splunk doesn't try to match <string> to a field name.

/K

View solution in original post

kristian_kolb · ‎10-07-2013

You should a few sample events containing the string you want to extract.

The rex statement should have the starting double quote after the field=fieldname specification. You seem to have noted that your config didn't work.

Probably the props.conf config should be;

EXTRACT-blah = \ss(?<storeNo>\d\d\d)store\s in host

From the docs regarding props.conf

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

EXTRACT-<name> = [<regex>|<regex> in <src_field>] * Used to create extracted fields (search-time field extractions) that do not reference transforms.conf stanzas. * Performs a regex-based field extraction from the value of the source field. * The <regex> is required to have named capturing groups. When the <regex> matches, the named capturing groups and their values are added to the event. * Use '<regex> in <src_field>' to match the regex against the values of a specific field. Otherwise it just matches against _raw (all raw event data). * NOTE: <src_field> can only contain alphanumeric characters (a-z, A-Z, and 0-9). * If your regex needs to end with 'in <string>' where <string> is *not* a field name, change the regex to end with '[i]n <string>' to ensure that Splunk doesn't try to match <string> to a field name.

/K

john_byun · ‎10-07-2013

Thank you. Replacing 'field=host' to 'in host' fixed the issue.

Issue extracting field from host metadata

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation