Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you write props and transforms for my below search?

raghuchams4527
Explorer
‎12-21-2018 06:40 AM

I'm looking for transforms and props.conf to get the two fields act and action

index=blue_sec sourcetype=rsa:security_analytics
|rex field=_raw "act=(?[^\"]+)\sspt="| makemv delim="," act| stats values(act) AS action by _raw  
|rex field=_raw "act=(?[^\"]+)\sspt=" | table act,action
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-21-2018 07:47 AM

HI raghuchams4527,
did you tried to extract your fields using the Field Extractor?
You can use your regexes.

Otherwise, you can go in fields section and create a new field using your regexes.

To better help you, could you use the Code Sample button to display your regexes? without it it isn't possible to correctly see your regex.

Bye.
Giuseppe

Reply

raghuchams4527
Explorer
‎12-21-2018 08:04 AM

Thanks for the suggestion. I'm looking for the transforms how to write makemv delim and stats command in props and transform.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-21-2018 08:10 AM

HI raghuchams4527,
if you want, you can create a macro with your commands, this is useful if you think to reuse your search.
Bye.
Giuseppe

0 Karma
Reply

raghuchams4527
Explorer
‎12-21-2018 08:12 AM

how to create a macro?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-21-2018 08:17 AM

HI raghuchams4527,
go in Settings -- Advanced Search -- Search macros -- Add new
and then copy your commands or part of them.
Bye.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-21-2018 08:28 AM

HI raghuchams4527,
if you're satisfied by this answer, please accept and/ot upvote it.
Bye.
Giuseppe

0 Karma
Reply

raghuchams4527
Explorer
‎12-21-2018 08:21 AM

thanks cusello

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎12-21-2018 07:42 AM

What are you trying to do? I see you're using rex to extract fields but they don't have names. Also, whats your purpose for wanting to use transforms and props?

0 Karma
Reply

raghuchams4527
Explorer
‎12-21-2018 10:07 AM

index=blue_sec sourcetype=rsa:security_analytics
|rex field=_raw "act=(?[^\"]+)\sspt="| makemv delim="," act| stats values(act) AS action by _raw

|rex field=_raw "act=(?[^\"]+)\sspt=" | table act,action

0 Karma
Reply

raghuchams4527
Explorer
‎12-21-2018 10:08 AM

Actually i put the name for rex but its not displayed on the result. (?)

0 Karma
Reply

raghuchams4527
Explorer
‎12-21-2018 10:05 AM

I want to extract act and action fields. If you remove the stats command im not getting the unique values from action field.

the values i'm looking
act = GET,POST,GET,GET,GET,GET,POST,POST
action = GET POST

0 Karma
Reply

raghuchams4527
Explorer
‎12-21-2018 08:02 AM

I want to extract act and action fields. If you remove the stats command im not getting the unique values from action field.

the values i'm looking
act = GET,POST,GET,GET,GET,GET,POST,POST
action = GET POST

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top