Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract field from source field then run a lookup - config error?

borgy95
Path Finder
‎07-02-2015 08:35 AM

I want to add a field extracttion to props.conf that will extract a portion of the uri field to create a custom field called kap_uri.
So eventually i can do the following:

sourcetype=access_combined_wcookie kap_uri=* | lookup bad_url_lookup kap_uri OUTPUT maskid kap_uri | table kap_uri,maskid

According to the docs i expected this to work as follows:

 [host::mimi]
    EXTRACT-kap_uri = (?:(http\:\/\/www\.|\w+:\/\/|www\.|)(?<kap_uri>.+)) in uri

But when I search ("host=mimi kap_uri=* | table kap_uri") for the field in splunk nothing is returned.

After searching some more a transform.conf edit was suggested so i have tried, 

#props.conf
[access_combined_wcookie]
REPORT-kap_uri = kapersky_uri

#transforms.conf
[kapersky_uri]
SOURCE_KEY = kap_uri
REGEX = (?:( http\:\/\/www\.|\w+:\/\/|www\.|)(?<kap_uri>.+))

Any ideas why this is not working, how can I get this field extraction,I tested the regex with rex field=uri "(?:(http\:\/\/www\.|\w+:\/\/|www\.|)(?&lt;kap_uri&gt;.+))" and it worked well

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-02-2015 08:48 AM

Your first method should have worked depending on the uri filed (for which you have not given any examples so we cannot help you further) and the host. For the first method, switch your stanza header from host-based to [access_combined_wcookie]. For your second method, you need to change SOURCE_KEY = kap_uri to SOURCE_KEY = uri.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-02-2015 08:48 AM

Your first method should have worked depending on the uri filed (for which you have not given any examples so we cannot help you further) and the host. For the first method, switch your stanza header from host-based to [access_combined_wcookie]. For your second method, you need to change SOURCE_KEY = kap_uri to SOURCE_KEY = uri.

0 Karma
Reply
Solved! Jump to solution

borgy95
Path Finder
‎07-06-2015 08:32 AM

Thank you, The source key edit fixed it.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...

Splunk ITSI & Correlated Network Visibility

  Now On Demand   Take Your Network Visibility to the Next Level In today’s complex IT environments, ...
Top