Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extraction in props.conf not working

manuarora
Explorer
‎08-18-2010 01:30 PM

I have following inputs.conf

[script://$SPLUNK_HOME/etc/apps/mck-perflog-aix/bin/lsvgdetails.sh]
index = mck-perflog
sourcetype = lsvg_detail
interval = 60

Script returns output as:-
rootvg,64,559,199,360

I am using following in props.conf

[lsvg_detail]
EXTRACT-common = (?<vg_name>[^\,]+),(?<pp_size>[^\,]+),(?<total_pp>[^\,]+),(?<free_pp>[^\,]+),(<used_pp>[^\,]+)

but it is not extracting field, I do not have any transforms.conf

Can you please help

Reply

Lowell
Super Champion
‎08-18-2010 01:42 PM

Any reason why you aren't using delimiter based extractions? I think that would be simpler in your case.

That said, the bug seems to be in your regex. Try this:

EXTRACT-common = ^(?<vg_name>[^\,]+),(?<pp_size>[^\,]+),(?<total_pp>[^\,]+),(?<free_pp>[^\,]+),(?<used_pp>[^\,]+)

You were missing a "?" at the end (used_pp). I also added a leading "^" which will force your regex to start at the beginning of the line; which is better than letting the regex engine guess.

I didn't change this, but you should note that your entire regex will fail to match if any of the fields you have defined are missing. That is [^\,]+ vs [^\,]*. You may or may not want this. Also, you don't need the backslash before your commas.

To use a delimiter based extraction, you can do the following:

props.conf:

[lsvg_detail]
SHOULD_LINEMERGE = False
DATETIME_CONFIG = CURRENT
REPORT-fields = lsvg_detail-fields

transforms.conf:

[lsvg_detail-fields]
DELIMS = ","
FIELDS = "vg_name", "pp_size", "total_pp", "free_pp", "used_pp"

In my option this is much simpler to understand and maintain in the future; and it may even be slightly faster than the regex approach (not that you're likely to notice the difference.) So unless you have a complex field extraction situation (i.e optional columns or very weird quoting logic) the I recommend sticking to the delimiter based approach. (And that's coming from someone who really enjoys writing and tweaking regular expressions.)

Reply

Lowell
Super Champion
‎08-19-2010 05:25 PM

Your problem is probably that you don't a timestamp in your event. Splunk breaks by default after a timestamp. You don't want to change LINE_BREAKER in this case (or hardly ever), you simply want to add SHOULD_LINEMERGE = False in props. (I've updated my example above to reflect this.)

0 Karma
Reply

manuarora
Explorer
‎08-19-2010 04:02 PM

I am using multiple unix echo to display text i.e
echo "splunkdvg,128,399,6,393"
echo "appvg,128,478,357,121"

0 Karma
Reply

manuarora
Explorer
‎08-19-2010 02:47 PM

Hi it gives me output like this
splunkdvg,128,399,6,393
appvg,128,478,357,121
rootvg,64,559,199,360
but when I use above format it adds VG name to used_pp, I think I need to use LINE_BREAKER but do not know what should be value of line breaker

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...