Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

cant concatenate indexed data

cwi
Engager
‎11-30-2011 04:49 PM

concatenating fields at index time doesn't seem to work. I have the following transform:

[gztdnv]
REGEX = <td>\s+(\S+)\s+(\S+)
FORMAT = td_nv::$1.$2
MV_ADD = true

the data looks like:

"<td> BW  400"

I would expect to see a value for td_nv of BW400 after the search. However, the transform remains in its unprocessed state indicating that td_nv is simply "$1.$2". If I just use $1 or $2 it is evaluated correctly with that piece.

This is described in the splunk docs section under "create custom fields at index time". Any ideas?

Tags (2)
0 Karma
Reply

cwi
Engager
‎12-01-2011 01:45 PM

no luck so far... here are the three key files. Restarted splunk and no td_nv field even appears....

transforms.conf :

[gztdnv]
REGEX = \s+(\S+)\s+(\S+)\s+(\S+)
FORMAT = td_nv::"$1.$2"
WRITE_META = true

props.conf :

[mylogs]
TRANSFORMS-gztdnv = gztdnv

fields.conf:

[td_nv]
INDEXED=true

0 Karma
Reply

Ayn
Legend
‎12-01-2011 12:21 PM

You're using REPORT instead of TRANSFORMS for the fields you are trying to concatenate. REPORT is a definition for a search-time extraction, not an index-time extraction. You need to use TRANSFORMS if you want to concatenate values, as this is not supported for search-time extractions.

0 Karma
Reply

cwi
Engager
‎12-01-2011 08:18 AM

Tried it with both FORMAT suggestions with no change so far. The props.conf entry is below. FYI, all the other extracts and reports pieces work.

Thx.

[MyLogs]
TRUNCATE = 0
LINE_BREAKER = (?!)
BREAK_ONLY_BEFORE = ^
TIME_PREFIX = ^\s+
EXTRACT-segName = ^ (?[^\n]+)
EXTRACT-testName = ^ (?[^\n]+)
EXTRACT-testExec = ^ (?[^\n]+)
EXTRACT-npes = ^ (?[^\n]+)
EXTRACT-JobID = ^ (?[^\n]+)
EXTRACT-compiler = ^ (?[^\n]+)
EXTRACT-params = ^ (?[^\n]+)
EXTRACT-rmgr = ^ (?[^\n]+)
EXTRACT-user = ^ (?[^\n]+)
EXTRACT-vers = ^ (?[^\n]+)
EXTRACT-start = ^ (?[^\n]+)
EXTRACT-end = ^ (?[^\n]+)
EXTRACT-results = ^\s*\s+(?[^\n]+)
EXTRACT-nodes = ^ (?[^\n]+)
EXTRACT-real = ^real\s+(?[^\n]+)
REPORT-gztd = gztd
REPORT-gztdnv = gztdnv
REPORT-gzresults = gzresults

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎12-01-2011 07:15 AM

There might be a couple of issues here but try this and let me know if it works:

[gztdnv]
REGEX = \<td\>\s+(\S+)\s+(\S+)
FORMAT = $1::$2
MV_ADD = true

The "<" and ">" have to be escaped with a backslash "\". Also if you are creating a grouping in the REGEX then the FORMAT has to be "$1::$2".

Here is a link to more information:

http://docs.splunk.com/Documentation/Splunk/4.2.4/Data/Configureindex-timefieldextraction

0 Karma
Reply

Ayn
Legend
‎12-01-2011 12:22 PM

< and > do not need to be escaped.

0 Karma
Reply

Ayn
Legend
‎11-30-2011 11:57 PM

Is this transform referred to in props.conf using the EXTRACT directive or TRANSFORMS directive? Could you paste the props.conf section?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...