Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field Extraction from Indexed field

Poojitha
Communicator
‎05-03-2024 04:52 AM

Hi All,

I am trying to extract a value from the indexed field. i.e from source field . I have added the regex in props.conf 

Example : 

source  = 234234324234:us-west-2:firehose_list_tags_for_resource

I want everything after second : (colon) as service i.e firehose_list_tags_for_resource

I have added in props.conf as below :

EXTRACT-service = source([^:]+:[^:]+:(?<service>.+)$)

This has created the field service but fetching wrong value. It is fetching last part of raw data.

Please can anyone help me to understand how can I extract field value from indexed data ? Should I add in transforms.conf as well ?

Please can anyone guide me. It helps me lot

Regards,
PNV

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2024 05:43 AM

Tell Splunk which field to extract from by using the in option.

EXTRACT-service = [^:]+:[^:]+:(?<service>.+)$ in source

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

deepakc
Builder
‎05-03-2024 05:42 AM

Use the below as an example, using both props and transforms,  change to your sourcetype that you are using and if it works, change your group names if desired. 

Props.conf
[my_sourcetype]
REPORT-my_service = extract_service


Transforms.conf
[extract_service]
SOURCE_KEY = source
REGEX = [^:]+:(?<my_service>.+)$
FORMAT = my_service::$1

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-03-2024 05:36 AM

Hi @Poojitha,

please try this:

| rex field=source ":(?<your_field>\w+)$"

or in props.conf:

EXTRACT-service = EXTRACT-service = source([^:]+:[^:]+:(?<service>.+)$) in source

that you can test at https://regex101.com/r/NBjX8h/1

ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...