Solved: Props and transforms not extracting fields properl...

pgadhari · ‎10-13-2020

I have a CSV data in following format and I have written props and transforms to extract the fields. Somehow, the ""Summary|vSphere Tag"" field values are not getting extracted wherein I have written transforms for it. Below are my configuration files - inputs, props and transforms :

CSV Data:

"Name","Summary|vSphere Tag"
"DC4VPWSAM","[<Application_category-Software Asset Management>, <Sub_class-Facilities>, <Department-Infrastructure & Operations>, <Primary_System_Owner-Pankaj Gadhari>, <Section-SM Service Support_Sec>, <Organisation-Technology & Infrastructure>, <Division-I&O Service Management>, <Application_Name-Manager Suite>, <Unit-SM Service Support>, <Class-Line of Business>]"

"DC1VPWSAM","[<Application_category-Software Asset Management>, <Sub_class-Facilities>, <Department-Infrastructure & Operations>, <Primary_System_Owner-Pankaj Gadhari>, <Section-SM Service Support_Sec>, <Organisation-Technology & Infrastructure>, <Division-I&O Service Management>, <Application_Name-Manager Suite>, <Unit-SM Service Support>, <Class-Line of Business>]"

"DC3VPWSAM","[<Application_category-Software Asset Management>, <Sub_class-Facilities>, <Department-Infrastructure & Operations>, <Primary_System_Owner-Pankaj Gadhari>, <Section-SM Service Support_Sec>, <Organisation-Technology & Infrastructure>, <Division-I&O Service Management>, <Application_Name-Manager Suite>, <Unit-SM Service Support>, <Class-Line of Business>]"

"DCVPWSCCM","[<Primary_System_Owner-Pankaj Gadhari>]"

"witsql-esx","none"

Inputs.conf

[monitor://C:\VMware-Tags\tagsplit\*.csv]
disabled = false
index = vmware
sourcetype = vmware-tags-csv
crcSalt = <SOURCE>

Props.conf

[vmware-tags-csv]
DATETIME_CONFIG = CURRENT
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
disabled = false
pulldown_type = true
REPORT-vmtags = myplaintransform1
EXTRACT-vmname = (?<vmname>[A-Za-z0-9]+),

transforms

[myplaintransform1]
REGEX=(?<vmname>[A-Za-z0-9]+),\<(.*?)-(.*?)\>
FORMAT=$1::$2

somehow the transforms is not working and the fields are not getting extracted. I want to extract Key Value pairs from "Summary|vSphere Tag" field so that it should show in search as below :

vmname,

Application_category

Primary_System_Owner and so on...

Please help resolve the issue.

richgalloway · ‎10-13-2020

The transform defines 3 capture groups, but only uses 2. One of the capture groups extracts a field (vmname) that is also extracted by the EXTRACT setting.

Since the "Summary|vSphere Tag" field contains multiple key/value pairs, I believe the transforms needs the MV_ADD=true setting.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-13-2020

The transform defines 3 capture groups, but only uses 2. One of the capture groups extracts a field (vmname) that is also extracted by the EXTRACT setting.

Since the "Summary|vSphere Tag" field contains multiple key/value pairs, I believe the transforms needs the MV_ADD=true setting.

---
If this reply helps you, Karma would be appreciated.

pgadhari · ‎10-16-2020

sure. I will check that setting and get back to you.

Props and transforms not extracting fields properly for csv data

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation