Solved: Re: create permanent field via rest api

snigdha9nov · ‎02-03-2019

can permanent field be created by using regular expression via rest api?

harsmarvania57 · ‎02-05-2019

Summarizing comments into answer.

To create props configuration using REST API , below parameter require.

name - User friendly name of the stanza.
stanza - Here you can define stanza based on host, source or sourcetype. For host, stanza will be stanza="host::yourhostname, for source stanza will be stanza="source::yoursource" and for sourcetype you do not need to provide any prefix so stanza will be stanza=yoursourcetype
type - Depend on your requirement, if you want to use transforms.conf then specify REPORT or if you want to use Inline regex then specify EXTRACT
value - For Inline REGEX (Aka EXTRACT) provide your regular expression for example : "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$" or if you want to use transforms (Aka REPORT) then provide comma or space delimited transforms list.

For example: I have raw data This is myimage with sourcetype mysourcetype and I want to extract myimage word from raw data in image field then we can use below curl to fire POST REST API, below curl command will create Private Field Extractions in search app and owner will be admin user.

curl -vk -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=test -d stanza=mysourcetype -d type=EXTRACT -d "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$"

View solution in original post

harsmarvania57 · ‎02-05-2019

Summarizing comments into answer.

To create props configuration using REST API , below parameter require.

name - User friendly name of the stanza.
stanza - Here you can define stanza based on host, source or sourcetype. For host, stanza will be stanza="host::yourhostname, for source stanza will be stanza="source::yoursource" and for sourcetype you do not need to provide any prefix so stanza will be stanza=yoursourcetype
type - Depend on your requirement, if you want to use transforms.conf then specify REPORT or if you want to use Inline regex then specify EXTRACT
value - For Inline REGEX (Aka EXTRACT) provide your regular expression for example : "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$" or if you want to use transforms (Aka REPORT) then provide comma or space delimited transforms list.

For example: I have raw data This is myimage with sourcetype mysourcetype and I want to extract myimage word from raw data in image field then we can use below curl to fire POST REST API, below curl command will create Private Field Extractions in search app and owner will be admin user.

curl -vk -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=test -d stanza=mysourcetype -d type=EXTRACT -d "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$"

harsmarvania57 · ‎02-04-2019

Hi,

Can you please clarify "permanent field" ? If you want to create props.conf configuration to extract field using REST API then have a look at this answer https://answers.splunk.com/answers/688049/how-do-i-alter-propsconf-via-python-sdk.html

snigdha9nov · ‎02-04-2019

I am trying this
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=image -d stanza=openstack -d type=EXTRACT -d "value= ^(?:[^\.\n]*\.){6}(?P[^ ]+)"
I can see this extracted field in field extraction but when I see my dataset "openstack" with search app ,it is not coming as interesting field in left side.i want to see it permanently as interested field.

harsmarvania57 · ‎02-04-2019

Looks like your regex is wrong or splunk answers website removed certain part of regex. Always use 101010 button when posting code or regex.

Can you please confirm your regex, is this ^(?:[^\.\\n]*\.){6}(?P[^ ]+) OR ^(?:[^\.\\n]*\.){6}(?P<ext_field>[^ ]+)

snigdha9nov · ‎02-04-2019

I am trying to use this command from splunk rest api reference manual
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=port -d stanza=ftp_log -d type=EXTRACT -d "value=port (?\d+)"

but confused with "value=port (?\d+)" what is "port" before regular expression

harsmarvania57 · ‎02-04-2019

That is part of regular expression which should match something like port 1234 and from this match it will extract 1234 in port_number field.

snigdha9nov · ‎02-04-2019

so if I want to extract field by regex I want to give name"image"...how should be the command
stanza = openstack(source or source type)
type =Extract
value=??
name??
what should be name and value

harsmarvania57 · ‎02-04-2019

In stanza you need to provide host,source or sourcetype. I guess if you want to provide host or source then stanza should be like host::yourhostname or source::yoursourcename

In value you need to provide your regular expression, let's say your _raw data is This is myimage and you want to extract myimage in image field then your regular repression should be like this ^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$ , sample data with regex https://regex101.com/r/3G2UsI/1

In name, it will be user friendly name for this configuration(stanza).

snigdha9nov · ‎02-04-2019

Are you sure host::yourhostname or source::source name is a correct way for stanza...
I mentioned stanza=mysoucename..and can see my extracted field in field extractions in same way as I did in splunkweb page with regex. ..but unable to see it on left side as interesting field.

harsmarvania57 · ‎02-05-2019

Yes I am sure, for host and source you need to use host::yourhostname and source::yoursourcename, for sourcetype you do not need to use any prefix.

For sourcetype you can use stanza=yoursourcetype

snigdha9nov · ‎02-05-2019

okk..thanks a lot....i was getting stuck with it.

create permanent field via rest api

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!