Archive
Highlighted

Extract field from another field

Explorer

Let's say that I have this value in a field called BIG_NUMBER already extracted:

0A5F8103-A612-FF4E-44F2-77ABE10698B9-VOL1

What I actually need is this value:

0A5F8103-A612-FF4E-44F2-77ABE10698B9

whether in the same field or whether another one. Also it has to be an index-time extraction. I'm trying to do so with this config files but the little_number field is still empty:

props.conf

[foobar]
CHECK_FOR_HEADER=TRUE
TIME_PREFIX = ^([^,]+,){3}
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %Y-%m-%d %H:%M:%S
SHOULD_LINEMERGE = false
REPORT-foo = foo_format, get_little_number

transforms.conf

[foo_format]
DELIMS = ","
FIELDS = "a","b","c","d","e","f","g","h","i","BIG_NUMBER","j"

[get_little_number]
REGEX = (?<little_number>[\w|\d]+-[\w|\d]+-[\w|\d]+-[\w|\d]+-[\w|\d]+)
SOURCE_KEY = BIG_NUMBER
0 Karma
Highlighted

Re: Extract field from another field

Legend

Why does it have to be an index-time extraction? It isn't right now anyway so that's good imho 🙂

0 Karma
Highlighted

Re: Extract field from another field

Legend

The regex syntax you're using it not valid for transforms.conf entries. In transforms.conf, you would do it like this:

[get_little_number]
SOURCE_KEY = BIG_NUMBER
REGEX = ([\w|\d]+-[\w|\d]+-[\w|\d]+-[\w|\d]+-[\w|\d]+)
FORMAT = little_number::$1
0 Karma
Highlighted

Re: Extract field from another field

Explorer

Not working, it isn't catching any value for little_number. I can't figure out what's happening.

0 Karma
Highlighted

Re: Extract field from another field

Legend

Is this configuration done on the box you're running the Splunk web interface on (i.e. the box you use for searching in Splunk)?

0 Karma
Highlighted

Re: Extract field from another field

Explorer

Nope, I'm editing directly the conf files.

0 Karma
Highlighted

Re: Extract field from another field

Legend

Right, but on which Splunk instance? Because all these extractions take place at search-time on the Splunk instance that performs the searching, so for instance if you're gathering this data from a forwarder somewhere and you're applying this configuration on the forwarder rather than on your indexer/search instance, things won't work.

0 Karma
Highlighted

Re: Extract field from another field

Explorer

I'm using a custom app, the conf files are located in app's local directory. The search commands are both saved in its savedsearches.conf file and inside some xml files as parameters in modules.
So if by instance you mean that, there you go, and if you don't, I'm sorry if I don't understand your questions. I'm pretty new in Splunk and my native language is not english so it's twice harder for me to get the concepts.
Thank you for your patience 🙂

0 Karma
Highlighted

Re: Extract field from another field

Legend

No, by instance I more or less mean a Splunk installation on a system. Basically, are you running Splunk in a distributed environment of any kind of are you running it all on one single box? If you're new to Splunk I'm guessing it's the latter 🙂

The thing is, this extraction really SHOULD work so I'm not sure why it doesn't in your case. Only thing I could think of is if you were applying these settings on the wrong Splunk system.

0 Karma
Highlighted

Re: Extract field from another field

Explorer

I'm doing local tests in my own computer, same thing as the tutorial but with my own app. No servers, no other PCs, static log files.

0 Karma