Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Indextime extracted field requires wild card to search

ips_mandar
Builder
‎06-02-2020 02:30 AM

below is few sample of how my source filename look like-

source="\\abc.com\storage\Queue\Name1\abcdLogs\sample0008095200531.txt"
source="\\abc.com\storage\Queue\Name1\abcdLogs\sample0008096200531.txt"

Here Last 6 field before .txt represent Date. i.e. In above case 200531 is 31st May 2020.
I want to extract Id which comes before Date and after sample at indextime. and In Id if 0 are at left needs to be excluded(if present) so in above two cases my Id will be 8095 and 8096
Below is my transforms.conf -

[Id]
SOURCE_KEY = MetaData:Source
REGEX = sample0*([0-9A-Za-z]+)\d{6}.*txt
FORMAT = Id::$1
WRITE_META = true

fields.conf -

[Id]
INDEXED=true
INDEXED_VALUE=source::*<VALUE>*

Now when I search for ex. Id="8095" it won't return any results. but when I search Id="*8095" then it does return results. sometime I have to include wild card at start or at end to show results.
Why space is getting included at start or at end of Id? My doing anything wrong?
Thanks,

Labels (1)
Labels
0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎06-02-2020 09:30 AM

Your RegeEx looks good, although I'd suggest replacing .*txt with \.*txt, i.e. match ".txt" literally.
In fields.conf, you may want to set INDEXED_VALUE=false, because you are creating a new indexed field named "Id", the value for which is NOT contained in the raw event text.
Let us know how it goes.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...