Solved: Translation from rex to IFX or props.conf

royimad · ‎08-21-2013

I have the following query and i would like to preserve the extraction and not calling this extraction each time on a search

... | rex field=TotalCabinets "(?<DescriptionTotal>.*):(?<TotalCabinetsNbr>.*)" | table ...

How do i preserve "save" this extraction without calling it each time on my query, what is the translation of this query on Interactive field extraction or on props.conf?

kristian_kolb · ‎08-21-2013

Assuming you have single-line events;
props.conf

[your_sourcetype]
EXTRACT-blah = (?m)Total\sCabinets:(?<TotalCabinetsNbr>\d+)

ought to work. If it doesn't, please post some sample events.

Note: Edited for multiline logs and the extra space.

/K

View solution in original post

kristian_kolb · ‎08-21-2013

In my example below you see that the field is extracted straight from the event text. Not based off an extracted field.

kristian_kolb · ‎08-21-2013

Assuming you have single-line events;
props.conf

[your_sourcetype]
EXTRACT-blah = (?m)Total\sCabinets:(?<TotalCabinetsNbr>\d+)

ought to work. If it doesn't, please post some sample events.

Note: Edited for multiline logs and the extra space.

/K

kristian_kolb · ‎08-21-2013

Apart from the edited regex above, you could also try (if TotalCabinets is already extracted).

EXTRACT-blah = some_regex in source_field

Haven't really played with that, but I assume that all 'in source_field' extractions take place after those that work on _raw. See the EXTRACT section of the props.conf docs.

http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Propsconf

royimad · ‎08-21-2013

Here is an example event:
Date = "20-Aug-2013 08:32:10 -0400"
From = "Roy Imad roy.imad@company.com"
To = "Roy Imad roy.imad@company.com"
Subject = "FW: [POSMonitor R1.5.1.0] DCPMonitor Inspection Summary"
mailbox = "splunk"
size = 12691
____________________ Message Body ____________________

DCPMonitor REPORT - Tue, Aug 20, 2013 at 00:00

Total Cabinets: 152, Offline Cabinets: 6
XPOS10027 - St ZZZZZZ Hospital of XXXXX - Cath Lab - Cath Room

royimad · ‎08-21-2013

There are space between Total and Cabinets ,
can i use EXTRACT-blah = "Total Cabinets:"(?<TotalCabinetsNbr>\d+) ?

cpeteman · ‎08-21-2013

I'm not sure if you can extract information from another field if you extract that first field in the same props.conf file. Is that the case here?

royimad · ‎08-21-2013

I need 293 the value wich is TotalCabinetNbr

royimad · ‎08-21-2013

TotalCabinets is already extracted and exist, I need to extract TotalCabinetNbr

TotalCabinets is like "Total Cabinets:293" and i need

cpeteman · ‎08-21-2013

Whcih is the field you want TotalCabinets or TotalCabinetsNbr?

Translation from rex to IFX or props.conf

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Translation from rex to IFX or props.conf

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!