Getting Data In

create permanent field via rest api

Engager

can permanent field be created by using regular expression via rest api?

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Summarizing comments into answer.

To create props configuration using REST API , below parameter require.

  1. name - User friendly name of the stanza.
  2. stanza - Here you can define stanza based on host, source or sourcetype. For host, stanza will be stanza="host::yourhostname, for source stanza will be stanza="source::yoursource" and for sourcetype you do not need to provide any prefix so stanza will be stanza=yoursourcetype
  3. type - Depend on your requirement, if you want to use transforms.conf then specify REPORT or if you want to use Inline regex then specify EXTRACT
  4. value - For Inline REGEX (Aka EXTRACT) provide your regular expression for example : "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$" or if you want to use transforms (Aka REPORT) then provide comma or space delimited transforms list.

For example: I have raw data This is myimage with sourcetype mysourcetype and I want to extract myimage word from raw data in image field then we can use below curl to fire POST REST API, below curl command will create Private Field Extractions in search app and owner will be admin user.

curl -vk -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=test -d stanza=mysourcetype -d type=EXTRACT -d "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$"

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Summarizing comments into answer.

To create props configuration using REST API , below parameter require.

  1. name - User friendly name of the stanza.
  2. stanza - Here you can define stanza based on host, source or sourcetype. For host, stanza will be stanza="host::yourhostname, for source stanza will be stanza="source::yoursource" and for sourcetype you do not need to provide any prefix so stanza will be stanza=yoursourcetype
  3. type - Depend on your requirement, if you want to use transforms.conf then specify REPORT or if you want to use Inline regex then specify EXTRACT
  4. value - For Inline REGEX (Aka EXTRACT) provide your regular expression for example : "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$" or if you want to use transforms (Aka REPORT) then provide comma or space delimited transforms list.

For example: I have raw data This is myimage with sourcetype mysourcetype and I want to extract myimage word from raw data in image field then we can use below curl to fire POST REST API, below curl command will create Private Field Extractions in search app and owner will be admin user.

curl -vk -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=test -d stanza=mysourcetype -d type=EXTRACT -d "value=^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$"

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi,

Can you please clarify "permanent field" ? If you want to create props.conf configuration to extract field using REST API then have a look at this answer https://answers.splunk.com/answers/688049/how-do-i-alter-propsconf-via-python-sdk.html

0 Karma

Engager

I am trying this
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=image -d stanza=openstack -d type=EXTRACT -d "value= ^(?:[^\.\n]*\.){6}(?P[^ ]+)"
I can see this extracted field in field extraction but when I see my dataset "openstack" with search app ,it is not coming as interesting field in left side.i want to see it permanently as interested field.

0 Karma

SplunkTrust
SplunkTrust

Looks like your regex is wrong or splunk answers website removed certain part of regex. Always use 101010 button when posting code or regex.

Can you please confirm your regex, is this ^(?:[^\.\\n]*\.){6}(?P[^ ]+) OR ^(?:[^\.\\n]*\.){6}(?P<ext_field>[^ ]+)

0 Karma

Engager

I am trying to use this command from splunk rest api reference manual
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=port -d stanza=ftp_log -d type=EXTRACT -d "value=port (?\d+)"

but confused with "value=port (?\d+)" what is "port" before regular expression

0 Karma

SplunkTrust
SplunkTrust

That is part of regular expression which should match something like port 1234 and from this match it will extract 1234 in port_number field.

0 Karma

Engager

so if I want to extract field by regex I want to give name"image"...how should be the command
stanza = openstack(source or source type)
type =Extract
value=??
name??
what should be name and value

0 Karma

SplunkTrust
SplunkTrust

In stanza you need to provide host,source or sourcetype. I guess if you want to provide host or source then stanza should be like host::yourhostname or source::yoursourcename

In value you need to provide your regular expression, let's say your _raw data is This is myimage and you want to extract myimage in image field then your regular repression should be like this ^(?:[^\h]*[\h]){2}(?<image>[^\v]*)$ , sample data with regex https://regex101.com/r/3G2UsI/1

In name, it will be user friendly name for this configuration(stanza).

0 Karma

Engager

Are you sure host::yourhostname or source::source name is a correct way for stanza...
I mentioned stanza=mysoucename..and can see my extracted field in field extractions in same way as I did in splunkweb page with regex. ..but unable to see it on left side as interesting field.

0 Karma

SplunkTrust
SplunkTrust

Yes I am sure, for host and source you need to use host::yourhostname and source::yoursourcename, for sourcetype you do not need to use any prefix.

For sourcetype you can use stanza=yoursourcetype

Engager

okk..thanks a lot....i was getting stuck with it.

0 Karma