ok, we have a field defined (user), and for another sourcetype I have the extracts already occurring for appUser and and appDomain.. so for this sourcetype I want user to be overriden as appUser@appDomain.
my guess would be index time? But I don't really care as long as it works.
looking at:
http://www.splunk.com/support/forum:SplunkGeneral/2684
it looks like maybe this isn't doable with extracted fields?
Correct. Concatenating different values for one single field when doing extractions is possible with index-time extractions only.
Quick and easy solution would be to use eval
or strcat
to concatenate the field values together. Like
<yourbasesearch> | eval user=appUser."@".appDomain
If you (or your users) don't want to have to specify that in every search though, you kind of can concatenate your appUser and appDomain values to the user field in props.conf
and transforms.conf
. The idea would be to take the regex for one of them then glue it together with the regex for the other using some generic matching regex between them, match both fields then combine them. NOTE: this can be done ONLY for index-time extractions. Concatenating fields together in this way does not work with search-time extractions. At search-time you'd have to use the eval solution.
In props.conf:
[yoursourcetype]
TRANSFORMS-user = extractuser
In transforms.conf:
[extractuser]
REGEX = (the appUser regex).+?(the appDomain regex)
FORMAT = user::$1@$2
My bad - this cannot be done with search-time extractions, just at index-time, as described in transforms.conf.spec. You need TRANSFORMS instead of REPORT. Updating my answer to reflect that.
thanks.. that is sort of working, but it isn't substituing correctly (just leaving $1@$2 for the field value). I suspect its because I'm trying to use SOURCE_KEY={another extracted field from a previous transform} I guess I have to regex from the overall raw log message?
So when the user issues the search, the returned fields include "user", "appUser" and "appDomain"?
I may not be making this clear.. there is already an extract for appUser and appDomain. We have a generic (more than this app) field called "user" and I want to concat these two fields with an "@" sign in the middle. I don't want the user to have to do this in every search (I don't really care if it is done at index time or not)
How do you know which user corresponds to which appUser@appDomain?
Why not just use rename as?
can I do that in props or something? I know I can do it in an individual search, but I need it done for everyone.