Splunk IT Service Intelligence

Regex concatenation in props & transforms

ialahdal
Path Finder

I am using regex to extract a field but I need 2 different regex.
so under transforms.conf I made 2 different regex but with the same field, under props I called them.

I seek to achieve 3 things,

1- mask data in uri if needed
2- concatenate fields if masked
3- extract uri

URIs come in 2 different forms
1- uri_path all letters with 1 field to extract: i.e /Core/Test/

2- uri_path_profile letters & numbers with 3 fields to extract i.e
*/Test/?id={NIN}&contactType={type}
*
where NIN is any 10 digit combination, and type is one out 3 possible strings

transforms.conf

#Field extraction for uri path
[uri_path]
REGEX = uri":"([\/A-Za-z]+)
FORMAT = uri::$1

[uri_path_profile]
REGEX = uri":"([\/A-Za-z]+)\?id=(\w+)&contactType=(\w+)
FORMAT = uri::$1?id=NIN&contactType=$3 NIN::$2 contact_type::$3

My end goal is to have both extracted regex into one field called uri but since the fields in the 2nd stanza is dynamic and will have a lot of entries i'd like them to all be made into one which would be
uri=/Test/?id=NIN&contactType=(group_3_value) so even if NIN has thousands of different records it will only show the 3 different strings at the end

is this doable?

Labels (1)
0 Karma
1 Solution

ialahdal
Path Finder

I solved this by using EVAL in props.conf

EVAL-url = if(isnull(contact_type),url,url . "/NIN/contactType/" . contact_type)

transforms.conf

[uri_path_1]
REGEX = uri":"(?<url>[\/A-Za-z]+)


[uri_path_2]
REGEX = uri":"(?<url>[\/A-Za-z]+)\?id=(?<NIN>\w+)&contactType=(?<contact_type>\w+)

View solution in original post

0 Karma

ialahdal
Path Finder

I solved this by using EVAL in props.conf

EVAL-url = if(isnull(contact_type),url,url . "/NIN/contactType/" . contact_type)

transforms.conf

[uri_path_1]
REGEX = uri":"(?<url>[\/A-Za-z]+)


[uri_path_2]
REGEX = uri":"(?<url>[\/A-Za-z]+)\?id=(?<NIN>\w+)&contactType=(?<contact_type>\w+)
0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...