Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

field extraction working with rex but not props.conf

jdmclemore
Path Finder
‎10-29-2020 03:36 PM

I am trying to extract a portion of the source as a field. Here's what the source looks like:

 

D:\Host Logs\info.server.02.mfl

 

I'm trying to extract "info" from the source filename and this works perfectly as a splunk search:

 

search | rex field=source "D:\\\Host Logs\\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)"

 

But if I put this in props.conf for this sourcetype as a search-time extraction, it's not working:

 

EXTRACT-sourcefield = "D:\\\Host Logs\\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)" in source

 

I've tried multiple versions of this, taking out the extra "\", removing the quotes, etc., but cant seem to get this field to extract. A "splunk btool props list..." shows that the props.conf file is being used. It's in an app in /opt/splunk/etc/apps. This is Splunk Enterprise 8.0.4.1.

Edit: Here are all the versions I've tried so far...

 

EXTRACT-sourcefield = D:\x5CHost Logs\x5C(?<newfield>[\w]+).\w+.\w+.(mfl|MFL) in source
EXTRACT-sourcefield = D:\\Host Logs\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL) in source
EXTRACT-sourcefield = "D:\\\Host Logs\\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)" in source
EXTRACT-sourcefield = "D:\\Host Logs\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)" in source

 

Labels (1)
Labels
0 Karma
Reply

amiftah_splunk
Splunk Employee
Splunk Employee
‎10-30-2020 08:37 AM

Or you can try:

EXTRACT-sourcefield = D:\x5CHost Logs\x5C(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)
0 Karma
Reply

jdmclemore
Path Finder
‎10-30-2020 09:19 AM

Thanks @amiftah_splunk  - unfortunately, this isn't working either.

0 Karma
Reply

amiftah_splunk
Splunk Employee
Splunk Employee
‎10-30-2020 09:26 AM

Are you extracting from a field?

You may need to use transforms:

transforms.conf:

[example]

SOURCE_KEY = source

REGEX = <your_regex>

props.conf:

REPORT-example = example

0 Karma
Reply

jdmclemore
Path Finder
‎11-02-2020 01:03 PM

Tried using REPORT and transforms, but still no good extraction...

0 Karma
Reply

jdmclemore
Path Finder
‎10-30-2020 09:39 AM

Yes, extracting from the source field. I haven't tried going the REPORT route and using transforms.conf because its a simple inline extraction that shouldnt require transforms, per the documentation. Maybe worth giving it a shot though.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-30-2020 06:43 AM

Have you tried this?

EXTRACT-sourcefield = D:\\Host Logs\\(?<newfield>[\w]+)\.\w+\.\w+\.(mfl|MFL) in source

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jdmclemore
Path Finder
‎10-30-2020 09:15 AM

Thanks @richgalloway  - yes I've tried that in props, but no extraction.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...