Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex concatenation in props & transforms

ialahdal
Path Finder
‎02-10-2020 03:17 AM

I am using regex to extract a field but I need 2 different regex.
so under transforms.conf I made 2 different regex but with the same field, under props I called them.

I seek to achieve 3 things,

1- mask data in uri if needed
2- concatenate fields if masked
3- extract uri

URIs come in 2 different forms
1- uri_path all letters with 1 field to extract: i.e /Core/Test/

2- uri_path_profile letters & numbers with 3 fields to extract i.e
*/Test/?id={NIN}&contactType={type}
* where NIN is any 10 digit combination, and type is one out 3 possible strings

transforms.conf

#Field extraction for uri path
[uri_path]
REGEX = uri":"([\/A-Za-z]+)
FORMAT = uri::$1

[uri_path_profile]
REGEX = uri":"([\/A-Za-z]+)\?id=(\w+)&contactType=(\w+)
FORMAT = uri::$1?id=NIN&contactType=$3 NIN::$2 contact_type::$3

My end goal is to have both extracted regex into one field called uri but since the fields in the 2nd stanza is dynamic and will have a lot of entries i'd like them to all be made into one which would be
uri=/Test/?id=NIN&contactType=(group_3_value) so even if NIN has thousands of different records it will only show the 3 different strings at the end

is this doable?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ialahdal
Path Finder
‎02-12-2020 12:08 AM

I solved this by using EVAL in props.conf

EVAL-url = if(isnull(contact_type),url,url . "/NIN/contactType/" . contact_type)

transforms.conf

[uri_path_1]
REGEX = uri":"(?<url>[\/A-Za-z]+)


[uri_path_2]
REGEX = uri":"(?<url>[\/A-Za-z]+)\?id=(?<NIN>\w+)&contactType=(?<contact_type>\w+)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ialahdal
Path Finder
‎02-12-2020 12:08 AM

I solved this by using EVAL in props.conf

EVAL-url = if(isnull(contact_type),url,url . "/NIN/contactType/" . contact_type)

transforms.conf

[uri_path_1]
REGEX = uri":"(?<url>[\/A-Za-z]+)


[uri_path_2]
REGEX = uri":"(?<url>[\/A-Za-z]+)\?id=(?<NIN>\w+)&contactType=(?<contact_type>\w+)
0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...