Knowledge Management

props.conf | multiple EXTRACT single GROUP name

NullZero
Path Finder

Hi,

I'm struggling to confirm in the docs whether this is permitted or not? I'm working on a TA for Netgear Wi-Fi, the log format is not brilliant to work with but I want to extract the ssid (Wi-Fi) network name. There are two formats of log containing this. I have written:

  • EXTRACT-ssid
  • EXTRACT-wifi_join_leave_ssid

 

Wi-Fi/default/props.conf   EVAL-src_mac = bssid
Wi-Fi/default/props.conf   EXTRACT-bssid = \"bssid\"\:\"(?<bssid>\w+\-\w+\w+\-\w+\-\w+\-\w+\-\w+)"
Wi-Fi/default/props.conf   EXTRACT-ssid = \"ssid\"\:\"(?<ssid>.*?)"
Wi-FI/default/props.conf   EXTRACT-wifi_join_leave_ssid = (disconnected\sfrom\s|connected\sto\s)(?<ssid>.+?)(?: with an RSSI|}$)

 

 

Both these extractions appear to work just fine at search time which really surprised me, I was obsessing over trying to combine a long REGEX with an OR. I've obviously referred to:


https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Propsconf

Which makes it clear that the CLASS must be unique (no problem) but the capture group name gets no mention?

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Why do you escape the quotes? You don't need to do that.

0 Karma

NullZero
Path Finder

Hi @richgalloway I think this is the point. What we're saying / agreeing is that there is no requirement for a unique 'capture group name' effectively the two regex field values 'coalesce' and quite tidily in the  instance that I have tested. This is a surprise and was not at all clear and actually lends flexibility.

 

0 Karma

NullZero
Path Finder

hi @richgalloway , thanks for replying. Let me be clearer, I am extracting SSID twice using the named capture group in both instances is 'SSID' per btool.

What has surprised me and I can't see listed is the requirement for a Unique capturing group name.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The highlighted text in my screen shot shows where the Admin manual says a capturing group is required in EXTRACT.  It does not say the group name must be unique because that is not a requirement.  Although a given regex may fail if the same group name is used more than once, the same group name may be used in multiple EXTRACT settings.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

The capture group name is indeed mentioned.

richgalloway_0-1696514122090.png

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...