Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

cant concatenate indexed data

cwi
Engager
‎11-30-2011 04:49 PM

concatenating fields at index time doesn't seem to work. I have the following transform:

[gztdnv]
REGEX = <td>\s+(\S+)\s+(\S+)
FORMAT = td_nv::$1.$2
MV_ADD = true

the data looks like:

"<td> BW  400"

I would expect to see a value for td_nv of BW400 after the search. However, the transform remains in its unprocessed state indicating that td_nv is simply "$1.$2". If I just use $1 or $2 it is evaluated correctly with that piece.

This is described in the splunk docs section under "create custom fields at index time". Any ideas?

Tags (2)
0 Karma
Reply

cwi
Engager
‎12-01-2011 01:45 PM

no luck so far... here are the three key files. Restarted splunk and no td_nv field even appears....

transforms.conf :

[gztdnv]
REGEX = \s+(\S+)\s+(\S+)\s+(\S+)
FORMAT = td_nv::"$1.$2"
WRITE_META = true

props.conf :

[mylogs]
TRANSFORMS-gztdnv = gztdnv

fields.conf:

[td_nv]
INDEXED=true

0 Karma
Reply

Ayn
Legend
‎12-01-2011 12:21 PM

You're using REPORT instead of TRANSFORMS for the fields you are trying to concatenate. REPORT is a definition for a search-time extraction, not an index-time extraction. You need to use TRANSFORMS if you want to concatenate values, as this is not supported for search-time extractions.

0 Karma
Reply

cwi
Engager
‎12-01-2011 08:18 AM

Tried it with both FORMAT suggestions with no change so far. The props.conf entry is below. FYI, all the other extracts and reports pieces work.

Thx.

[MyLogs]
TRUNCATE = 0
LINE_BREAKER = (?!)
BREAK_ONLY_BEFORE = ^
TIME_PREFIX = ^\s+
EXTRACT-segName = ^ (?[^\n]+)
EXTRACT-testName = ^ (?[^\n]+)
EXTRACT-testExec = ^ (?[^\n]+)
EXTRACT-npes = ^ (?[^\n]+)
EXTRACT-JobID = ^ (?[^\n]+)
EXTRACT-compiler = ^ (?[^\n]+)
EXTRACT-params = ^ (?[^\n]+)
EXTRACT-rmgr = ^ (?[^\n]+)
EXTRACT-user = ^ (?[^\n]+)
EXTRACT-vers = ^ (?[^\n]+)
EXTRACT-start = ^ (?[^\n]+)
EXTRACT-end = ^ (?[^\n]+)
EXTRACT-results = ^\s*\s+(?[^\n]+)
EXTRACT-nodes = ^ (?[^\n]+)
EXTRACT-real = ^real\s+(?[^\n]+)
REPORT-gztd = gztd
REPORT-gztdnv = gztdnv
REPORT-gzresults = gzresults

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎12-01-2011 07:15 AM

There might be a couple of issues here but try this and let me know if it works:

[gztdnv]
REGEX = \<td\>\s+(\S+)\s+(\S+)
FORMAT = $1::$2
MV_ADD = true

The "<" and ">" have to be escaped with a backslash "\". Also if you are creating a grouping in the REGEX then the FORMAT has to be "$1::$2".

Here is a link to more information:

http://docs.splunk.com/Documentation/Splunk/4.2.4/Data/Configureindex-timefieldextraction

0 Karma
Reply

Ayn
Legend
‎12-01-2011 12:22 PM

< and > do not need to be escaped.

0 Karma
Reply

Ayn
Legend
‎11-30-2011 11:57 PM

Is this transform referred to in props.conf using the EXTRACT directive or TRANSFORMS directive? Could you paste the props.conf section?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...