Getting Data In

Extract field from source field then run a lookup - config error?

borgy95
Path Finder

I want to add a field extracttion to props.conf that will extract a portion of the uri field to create a custom field called kap_uri.
So eventually i can do the following:

sourcetype=access_combined_wcookie kap_uri=* | lookup bad_url_lookup kap_uri OUTPUT maskid kap_uri | table kap_uri,maskid

According to the docs i expected this to work as follows:

 [host::mimi]
    EXTRACT-kap_uri = (?:(http\:\/\/www\.|\w+:\/\/|www\.|)(?<kap_uri>.+)) in uri

But when I search ("host=mimi kap_uri=* | table kap_uri") for the field in splunk nothing is returned.

After searching some more a transform.conf edit was suggested so i have tried,

#props.conf
[access_combined_wcookie]
REPORT-kap_uri = kapersky_uri

#transforms.conf
[kapersky_uri]
SOURCE_KEY = kap_uri
REGEX = (?:( http\:\/\/www\.|\w+:\/\/|www\.|)(?<kap_uri>.+))

Any ideas why this is not working, how can I get this field extraction,I tested the regex with rex field=uri "(?:(http\:\/\/www\.|\w+:\/\/|www\.|)(?&lt;kap_uri&gt;.+))" and it worked well

0 Karma
1 Solution

woodcock
Esteemed Legend

Your first method should have worked depending on the uri filed (for which you have not given any examples so we cannot help you further) and the host. For the first method, switch your stanza header from host-based to [access_combined_wcookie]. For your second method, you need to change SOURCE_KEY = kap_uri to SOURCE_KEY = uri.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Your first method should have worked depending on the uri filed (for which you have not given any examples so we cannot help you further) and the host. For the first method, switch your stanza header from host-based to [access_combined_wcookie]. For your second method, you need to change SOURCE_KEY = kap_uri to SOURCE_KEY = uri.

0 Karma

borgy95
Path Finder

Thank you, The source key edit fixed it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...