Summarizing comments into answer.
To create props configuration using REST API , below parameter require.
stanza="host::yourhostname
, for source stanza will be stanza="source::yoursource"
and for sourcetype you do not need to provide any prefix so stanza will be stanza=yoursourcetype
REPORT
or if you want to use Inline regex then specify EXTRACT
"value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$"
or if you want to use transforms (Aka REPORT) then provide comma or space delimited transforms list.For example: I have raw data This is myimage
with sourcetype mysourcetype
and I want to extract myimage
word from raw data in image
field then we can use below curl to fire POST REST API, below curl command will create Private Field Extractions in search app and owner will be admin user.
curl -vk -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=test -d stanza=mysourcetype -d type=EXTRACT -d "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$"
Summarizing comments into answer.
To create props configuration using REST API , below parameter require.
stanza="host::yourhostname
, for source stanza will be stanza="source::yoursource"
and for sourcetype you do not need to provide any prefix so stanza will be stanza=yoursourcetype
REPORT
or if you want to use Inline regex then specify EXTRACT
"value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$"
or if you want to use transforms (Aka REPORT) then provide comma or space delimited transforms list.For example: I have raw data This is myimage
with sourcetype mysourcetype
and I want to extract myimage
word from raw data in image
field then we can use below curl to fire POST REST API, below curl command will create Private Field Extractions in search app and owner will be admin user.
curl -vk -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=test -d stanza=mysourcetype -d type=EXTRACT -d "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$"
Hi,
Can you please clarify "permanent field" ? If you want to create props.conf configuration to extract field using REST API then have a look at this answer https://answers.splunk.com/answers/688049/how-do-i-alter-propsconf-via-python-sdk.html
I am trying this
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=image -d stanza=openstack -d type=EXTRACT -d "value= ^(?:[^\.\n]*\.){6}(?P[^ ]+)"
I can see this extracted field in field extraction but when I see my dataset "openstack" with search app ,it is not coming as interesting field in left side.i want to see it permanently as interested field.
Looks like your regex is wrong or splunk answers website removed certain part of regex. Always use 101010
button when posting code or regex.
Can you please confirm your regex, is this ^(?:[^\.\\n]*\.){6}(?P[^ ]+)
OR ^(?:[^\.\\n]*\.){6}(?P<ext_field>[^ ]+)
I am trying to use this command from splunk rest api reference manual
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=port -d stanza=ftp_log -d type=EXTRACT -d "value=port (?\d+)"
but confused with "value=port (?\d+)" what is "port" before regular expression
That is part of regular expression which should match something like port 1234
and from this match it will extract 1234
in port_number
field.
so if I want to extract field by regex I want to give name"image"...how should be the command
stanza = openstack(source or source type)
type =Extract
value=??
name??
what should be name and value
In stanza
you need to provide host,source or sourcetype. I guess if you want to provide host or source then stanza should be like host::yourhostname
or source::yoursourcename
In value
you need to provide your regular expression, let's say your _raw data is This is myimage
and you want to extract myimage
in image
field then your regular repression should be like this ^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$
, sample data with regex https://regex101.com/r/3G2UsI/1
In name
, it will be user friendly name for this configuration(stanza).
Are you sure host::yourhostname or source::source name is a correct way for stanza...
I mentioned stanza=mysoucename..and can see my extracted field in field extractions in same way as I did in splunkweb page with regex. ..but unable to see it on left side as interesting field.
Yes I am sure, for host and source you need to use host::yourhostname
and source::yoursourcename
, for sourcetype you do not need to use any prefix.
For sourcetype you can use stanza=yoursourcetype
okk..thanks a lot....i was getting stuck with it.