Solved: Re: Translation from rex to IFX or props.conf

royimad · ‎08-21-2013

I have the following query and i would like to preserve the extraction and not calling this extraction each time on a search

... | rex field=TotalCabinets "(?<DescriptionTotal>.*):(?<TotalCabinetsNbr>.*)" | table ...

How do i preserve "save" this extraction without calling it each time on my query, what is the translation of this query on Interactive field extraction or on props.conf?

kristian_kolb · ‎08-21-2013

Assuming you have single-line events;
props.conf

[your_sourcetype]
EXTRACT-blah = (?m)Total\sCabinets:(?<TotalCabinetsNbr>\d+)

ought to work. If it doesn't, please post some sample events.

Note: Edited for multiline logs and the extra space.

/K

View solution in original post

kristian_kolb · ‎08-21-2013

In my example below you see that the field is extracted straight from the event text. Not based off an extracted field.

kristian_kolb · ‎08-21-2013

Assuming you have single-line events;
props.conf

[your_sourcetype]
EXTRACT-blah = (?m)Total\sCabinets:(?<TotalCabinetsNbr>\d+)

ought to work. If it doesn't, please post some sample events.

Note: Edited for multiline logs and the extra space.

/K

kristian_kolb · ‎08-21-2013

Apart from the edited regex above, you could also try (if TotalCabinets is already extracted).

EXTRACT-blah = some_regex in source_field

Haven't really played with that, but I assume that all 'in source_field' extractions take place after those that work on _raw. See the EXTRACT section of the props.conf docs.

http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Propsconf

royimad · ‎08-21-2013

Here is an example event:
Date = "20-Aug-2013 08:32:10 -0400"
From = "Roy Imad roy.imad@company.com"
To = "Roy Imad roy.imad@company.com"
Subject = "FW: [POSMonitor R1.5.1.0] DCPMonitor Inspection Summary"
mailbox = "splunk"
size = 12691
____________________ Message Body ____________________

DCPMonitor REPORT - Tue, Aug 20, 2013 at 00:00

Total Cabinets: 152, Offline Cabinets: 6
XPOS10027 - St ZZZZZZ Hospital of XXXXX - Cath Lab - Cath Room

royimad · ‎08-21-2013

There are space between Total and Cabinets ,
can i use EXTRACT-blah = "Total Cabinets:"(?<TotalCabinetsNbr>\d+) ?

cpeteman · ‎08-21-2013

I'm not sure if you can extract information from another field if you extract that first field in the same props.conf file. Is that the case here?

royimad · ‎08-21-2013

I need 293 the value wich is TotalCabinetNbr

royimad · ‎08-21-2013

TotalCabinets is already extracted and exist, I need to extract TotalCabinetNbr

TotalCabinets is like "Total Cabinets:293" and i need

cpeteman · ‎08-21-2013

Whcih is the field you want TotalCabinets or TotalCabinetsNbr?

Translation from rex to IFX or props.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation