Archive

Extraction in props.conf....still allowed?

Splunk Employee
Splunk Employee

Hi All,

I need a sanity check. This extraction seemed to work in 4.0, Can someone help? mac_address and source_ip do not show up

Example Event:

Tue May 11 18:00:32 EDT 2010 prod : xwel22p user=steve ERROR [THREAD]WebContainer REQUEST for 10.12.121.1 [NAMESPACE]com.health .ava.reporting.Ava.reporting.AVAReportingController from 00:1d:e0:24:a1:02 System reassigned Call :: Reason Code = '000012' ICM Call Key = '14949526813' :: Host Key = '21'

So I want to extract 2 fields in Red above: source_IP and mac_address from the source: logtest.log and sourcetype tix.

Stanza in props.conf. (I just put it in the etc/system/local/props.conf to test):

[source::.../logtest.log]

sourcetype = tix

EXTRACT-0 = REQUEST for (?sourceip>\d+.\d+.\d+.\d+) from (?macaddress>00:*?:\w+:\w+:\w+:\w+:\w+)

NOTE: I know that sourceip and macaddress need the "<", but answers.splunk.com will blank out the field name....must be a html thing.

0 Karma

Splunk Employee
Splunk Employee

use the "code" formatting button in the answers.splunk.com editor window to fix your formatting and display literal text please.

0 Karma

Super Champion

Try using:

[source::.../logtest.log]
sourcetype = tix

[tix]
EXTRACT-0 = (?i)\b(?P<sourceip>\d+\.\d+\.\d+\.\d+) .*? from (?P<macaddress>[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2})\b

(You can indent 4 spaces to use "code" mode.. Or use backticks)

Path Finder

First: You can use & l t ; all mushed together to get a < symbol.

Next, I would say that your regex doesn't have enough room for the stuff that appears between the IP address and the MAC address within the line. Your regex says "inbetween a dotted IP address and a MAC address is the string ' from ' and nothing more". I think if you added some wildcard characters to your regex between the two matches, you'd be in good shape. I've used EXTRACT phrases in props.conf without issue.

You may also wish to use the regex search operator to fine tune your regular expression before putting it in the file. Issue a search generic enough to find log events like the one you've excerpted above, then | regex <your_regex_here>. The named fields you've extracted would then appear in the field picker area on the bottom left.

Finally, you may wish to escape the . characters in the regex for the sourceip field; . by itself means "match any character", so you'd also find strings like 1a2b3c4.

0 Karma

Super Champion

I think you mean rex not regex. The regex search command is used to filter in/out events that match a regex. But with rex you can actually test extract values. Once you have a working regex, you can copy and past it into your props.conf file.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!