- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Summarizing comments into answer.
To create props configuration using REST API , below parameter require.
- name - User friendly name of the stanza.
- stanza - Here you can define stanza based on host, source or sourcetype. For host, stanza will be
stanza="host::yourhostname
, for source stanza will bestanza="source::yoursource"
and for sourcetype you do not need to provide any prefix so stanza will bestanza=yoursourcetype
- type - Depend on your requirement, if you want to use transforms.conf then specify
REPORT
or if you want to use Inline regex then specifyEXTRACT
- value - For Inline REGEX (Aka EXTRACT) provide your regular expression for example :
"value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$"
or if you want to use transforms (Aka REPORT) then provide comma or space delimited transforms list.
For example: I have raw data This is myimage
with sourcetype mysourcetype
and I want to extract myimage
word from raw data in image
field then we can use below curl to fire POST REST API, below curl command will create Private Field Extractions in search app and owner will be admin user.
curl -vk -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=test -d stanza=mysourcetype -d type=EXTRACT -d "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Summarizing comments into answer.
To create props configuration using REST API , below parameter require.
- name - User friendly name of the stanza.
- stanza - Here you can define stanza based on host, source or sourcetype. For host, stanza will be
stanza="host::yourhostname
, for source stanza will bestanza="source::yoursource"
and for sourcetype you do not need to provide any prefix so stanza will bestanza=yoursourcetype
- type - Depend on your requirement, if you want to use transforms.conf then specify
REPORT
or if you want to use Inline regex then specifyEXTRACT
- value - For Inline REGEX (Aka EXTRACT) provide your regular expression for example :
"value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$"
or if you want to use transforms (Aka REPORT) then provide comma or space delimited transforms list.
For example: I have raw data This is myimage
with sourcetype mysourcetype
and I want to extract myimage
word from raw data in image
field then we can use below curl to fire POST REST API, below curl command will create Private Field Extractions in search app and owner will be admin user.
curl -vk -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=test -d stanza=mysourcetype -d type=EXTRACT -d "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can you please clarify "permanent field" ? If you want to create props.conf configuration to extract field using REST API then have a look at this answer https://answers.splunk.com/answers/688049/how-do-i-alter-propsconf-via-python-sdk.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying this
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=image -d stanza=openstack -d type=EXTRACT -d "value= ^(?:[^\.\n]*\.){6}(?P[^ ]+)"
I can see this extracted field in field extraction but when I see my dataset "openstack" with search app ,it is not coming as interesting field in left side.i want to see it permanently as interested field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like your regex is wrong or splunk answers website removed certain part of regex. Always use 101010
button when posting code or regex.
Can you please confirm your regex, is this ^(?:[^\.\\n]*\.){6}(?P[^ ]+)
OR ^(?:[^\.\\n]*\.){6}(?P<ext_field>[^ ]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to use this command from splunk rest api reference manual
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=port -d stanza=ftp_log -d type=EXTRACT -d "value=port (?\d+)"
but confused with "value=port (?\d+)" what is "port" before regular expression
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is part of regular expression which should match something like port 1234
and from this match it will extract 1234
in port_number
field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so if I want to extract field by regex I want to give name"image"...how should be the command
stanza = openstack(source or source type)
type =Extract
value=??
name??
what should be name and value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In stanza
you need to provide host,source or sourcetype. I guess if you want to provide host or source then stanza should be like host::yourhostname
or source::yoursourcename
In value
you need to provide your regular expression, let's say your _raw data is This is myimage
and you want to extract myimage
in image
field then your regular repression should be like this ^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$
, sample data with regex https://regex101.com/r/3G2UsI/1
In name
, it will be user friendly name for this configuration(stanza).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure host::yourhostname or source::source name is a correct way for stanza...
I mentioned stanza=mysoucename..and can see my extracted field in field extractions in same way as I did in splunkweb page with regex. ..but unable to see it on left side as interesting field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I am sure, for host and source you need to use host::yourhostname
and source::yoursourcename
, for sourcetype you do not need to use any prefix.
For sourcetype you can use stanza=yoursourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okk..thanks a lot....i was getting stuck with it.