Splunk Search

Extraction in props.conf....still allowed?

dcroteau
Splunk Employee
Splunk Employee

Hi All,

I need a sanity check. This extraction seemed to work in 4.0, Can someone help? mac_address and source_ip do not show up

Example Event:

Tue May 11 18:00:32 EDT 2010 prod : xwel22p user=steve ERROR [THREAD]WebContainer REQUEST for 10.12.121.1 [NAMESPACE]com.health .ava.reporting.Ava.reporting.AVAReportingController from 00:1d:e0:24:a1:02 System reassigned Call :: Reason Code = '000012' ICM Call Key = '14949526813' :: Host Key = '21'

So I want to extract 2 fields in Red above: source_IP and mac_address from the source: logtest.log and sourcetype tix.

Stanza in props.conf. (I just put it in the etc/system/local/props.conf to test):

[source::.../logtest.log]

sourcetype = tix

EXTRACT-0 = REQUEST for (?sourceip>\d+.\d+.\d+.\d+) from (?macaddress>00:*?:\w+:\w+:\w+:\w+:\w+)

NOTE: I know that sourceip and macaddress need the "<", but answers.splunk.com will blank out the field name....must be a html thing.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

use the "code" formatting button in the answers.splunk.com editor window to fix your formatting and display literal text please.

0 Karma

Lowell
Super Champion

Try using:

[source::.../logtest.log]
sourcetype = tix

[tix]
EXTRACT-0 = (?i)\b(?P<sourceip>\d+\.\d+\.\d+\.\d+) .*? from (?P<macaddress>[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2})\b

(You can indent 4 spaces to use "code" mode.. Or use backticks)

smisplunk
Path Finder

First: You can use & l t ; all mushed together to get a < symbol.

Next, I would say that your regex doesn't have enough room for the stuff that appears between the IP address and the MAC address within the line. Your regex says "inbetween a dotted IP address and a MAC address is the string ' from ' and nothing more". I think if you added some wildcard characters to your regex between the two matches, you'd be in good shape. I've used EXTRACT phrases in props.conf without issue.

You may also wish to use the regex search operator to fine tune your regular expression before putting it in the file. Issue a search generic enough to find log events like the one you've excerpted above, then | regex <your_regex_here>. The named fields you've extracted would then appear in the field picker area on the bottom left.

Finally, you may wish to escape the . characters in the regex for the sourceip field; . by itself means "match any character", so you'd also find strings like 1a2b3c4.

0 Karma

Lowell
Super Champion

I think you mean rex not regex. The regex search command is used to filter in/out events that match a regex. But with rex you can actually test extract values. Once you have a working regex, you can copy and past it into your props.conf file.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...