Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can point transforms REGEX parameter in transforms.conf?

rakesh_498115
Motivator
‎01-28-2014 02:48 AM

Hi..

I have a created a regex called "ClientDetails" in props.conf and i need two more fields from this extracted field "ClientDetails" , and these fields need to be have MV_ADD feature.

So now how can i define them in transforms.conf

props.conf

EXTRACT-ClientDetails = [A-Z]{1}\s[A-Z]{1}\s([A-Z]{2})\s?(?<ClientDetails>[^\s\']*)[\s\']
REPORT-userinfo = userinfo

transforms.conf

[userinfo]
REGEX = \,?(?<UserName>[^(]*)\((?<SectionName>[^)]*)\) in ClientDetails
MV_ADD=true

but this seems to be not workin . can u pls where i am going wrong.

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎01-28-2014 03:58 AM

REGEX does not work with the in sourcefield option (like EXTRACT does). Thus, the 'in ClientDetails' part of your regex is seen as a literal string to be matched. So you probably need to rewrite the regular expression so that it will work for the whole event (_raw).

Hope this helps,

K

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...