Splunk ITSI

Regex concatenation in props & transforms

ialahdal
Path Finder

I am using regex to extract a field but I need 2 different regex.
so under transforms.conf I made 2 different regex but with the same field, under props I called them.

I seek to achieve 3 things,

1- mask data in uri if needed
2- concatenate fields if masked
3- extract uri

URIs come in 2 different forms
1- uri_path all letters with 1 field to extract: i.e /Core/Test/

2- uri_path_profile letters & numbers with 3 fields to extract i.e
*/Test/?id={NIN}&contactType={type}
*
where NIN is any 10 digit combination, and type is one out 3 possible strings

transforms.conf

#Field extraction for uri path
[uri_path]
REGEX = uri":"([\/A-Za-z]+)
FORMAT = uri::$1

[uri_path_profile]
REGEX = uri":"([\/A-Za-z]+)\?id=(\w+)&contactType=(\w+)
FORMAT = uri::$1?id=NIN&contactType=$3 NIN::$2 contact_type::$3

My end goal is to have both extracted regex into one field called uri but since the fields in the 2nd stanza is dynamic and will have a lot of entries i'd like them to all be made into one which would be
uri=/Test/?id=NIN&contactType=(group_3_value) so even if NIN has thousands of different records it will only show the 3 different strings at the end

is this doable?

Labels (1)
0 Karma
1 Solution

ialahdal
Path Finder

I solved this by using EVAL in props.conf

EVAL-url = if(isnull(contact_type),url,url . "/NIN/contactType/" . contact_type)

transforms.conf

[uri_path_1]
REGEX = uri":"(?<url>[\/A-Za-z]+)


[uri_path_2]
REGEX = uri":"(?<url>[\/A-Za-z]+)\?id=(?<NIN>\w+)&contactType=(?<contact_type>\w+)

View solution in original post

0 Karma

ialahdal
Path Finder

I solved this by using EVAL in props.conf

EVAL-url = if(isnull(contact_type),url,url . "/NIN/contactType/" . contact_type)

transforms.conf

[uri_path_1]
REGEX = uri":"(?<url>[\/A-Za-z]+)


[uri_path_2]
REGEX = uri":"(?<url>[\/A-Za-z]+)\?id=(?<NIN>\w+)&contactType=(?<contact_type>\w+)
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...