Solved: Props and transforms not extracting fields properl...

pgadhari · ‎10-13-2020

I have a CSV data in following format and I have written props and transforms to extract the fields. Somehow, the ""Summary|vSphere Tag"" field values are not getting extracted wherein I have written transforms for it. Below are my configuration files - inputs, props and transforms :

CSV Data:

"Name","Summary|vSphere Tag"
"DC4VPWSAM","[<Application_category-Software Asset Management>, <Sub_class-Facilities>, <Department-Infrastructure & Operations>, <Primary_System_Owner-Pankaj Gadhari>, <Section-SM Service Support_Sec>, <Organisation-Technology & Infrastructure>, <Division-I&O Service Management>, <Application_Name-Manager Suite>, <Unit-SM Service Support>, <Class-Line of Business>]"

"DC1VPWSAM","[<Application_category-Software Asset Management>, <Sub_class-Facilities>, <Department-Infrastructure & Operations>, <Primary_System_Owner-Pankaj Gadhari>, <Section-SM Service Support_Sec>, <Organisation-Technology & Infrastructure>, <Division-I&O Service Management>, <Application_Name-Manager Suite>, <Unit-SM Service Support>, <Class-Line of Business>]"

"DC3VPWSAM","[<Application_category-Software Asset Management>, <Sub_class-Facilities>, <Department-Infrastructure & Operations>, <Primary_System_Owner-Pankaj Gadhari>, <Section-SM Service Support_Sec>, <Organisation-Technology & Infrastructure>, <Division-I&O Service Management>, <Application_Name-Manager Suite>, <Unit-SM Service Support>, <Class-Line of Business>]"

"DCVPWSCCM","[<Primary_System_Owner-Pankaj Gadhari>]"

"witsql-esx","none"

Inputs.conf

[monitor://C:\VMware-Tags\tagsplit\*.csv]
disabled = false
index = vmware
sourcetype = vmware-tags-csv
crcSalt = <SOURCE>

Props.conf

[vmware-tags-csv]
DATETIME_CONFIG = CURRENT
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
disabled = false
pulldown_type = true
REPORT-vmtags = myplaintransform1
EXTRACT-vmname = (?<vmname>[A-Za-z0-9]+),

transforms

[myplaintransform1]
REGEX=(?<vmname>[A-Za-z0-9]+),\<(.*?)-(.*?)\>
FORMAT=$1::$2

somehow the transforms is not working and the fields are not getting extracted. I want to extract Key Value pairs from "Summary|vSphere Tag" field so that it should show in search as below :

vmname,

Application_category

Primary_System_Owner and so on...

Please help resolve the issue.

richgalloway · ‎10-13-2020

The transform defines 3 capture groups, but only uses 2. One of the capture groups extracts a field (vmname) that is also extracted by the EXTRACT setting.

Since the "Summary|vSphere Tag" field contains multiple key/value pairs, I believe the transforms needs the MV_ADD=true setting.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-13-2020

The transform defines 3 capture groups, but only uses 2. One of the capture groups extracts a field (vmname) that is also extracted by the EXTRACT setting.

Since the "Summary|vSphere Tag" field contains multiple key/value pairs, I believe the transforms needs the MV_ADD=true setting.

---
If this reply helps you, Karma would be appreciated.

pgadhari · ‎10-16-2020

sure. I will check that setting and get back to you.

Props and transforms not extracting fields properly for csv data

field extraction

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Enterprise Security Content Update (ESCU) | New Releases