Can you extract from a field that was extracted in...

sillingworth · ‎06-01-2017

Using the docs here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Propsconf, specifically this section:

* Use '<regex> in <src_field>' to match the regex against the values of a
  specific field.  Otherwise it just matches against _raw (all raw event
  data).

I came up with this:

EXTRACT-metric_parts = : (<metric type=".*?" name=")?(?<metric_path>.*?):(?<metric_name>.*?)[="]( value=")?(?<value>.*?)[" ]
EXTRACT-test = (?<metric_test>.*) in metric_path

All the field extractions in metric_parts work fine, but metric_test doesn't appear (it should be a duplicate of metric_path, according to my understanding of the readme).

Is there a limitation I'm missing here? Can src_field only be one of the automatic fields like source?

sillingworth · ‎06-02-2017

The extractions in the question are actually correct, but it seems a full refresh isn't enough to pull in the updated props.conf (I have no idea why).

Sticking | extract reload=true on the end of my search revealed the new fields.

sillingworth · ‎06-02-2017

Actually scratch that. The original config started working for me, which I put down to the reload=true, but if I then add a third line extracting a field from within metric_test it still doesn't appear, whereas if I add it based on _raw it does.

I wonder if something is required to make Splunk aware that it can use metric_test as the source field.

woodcock · ‎06-01-2017

It appears that you need it named twice so you can use fieldalias for that:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields

woodcock · ‎06-01-2017

Switch from Extract to Report in props.conf:

REPORT-ArbitraryButUniqueStringHere = metric_parts, test

Then in transforms.conf this:

[metric_parts]
REGEX = (<metric type=".*?" name=")?(?<metric_path>.*?):(?<metric_name>.*?)[="]( value=")?(?<value>.*?)[" ]
[test]
SOURCE_KEY = metric_path
REGEX = (?<metric_test>.*)

sillingworth · ‎06-05-2017

What's the reason it has to be done that way? The docs suggest it's doable in extract.

woodcock · ‎06-05-2017

Evert EXTRACT happen simultaneously, as does every SEDCMD and many other things, but REPORT and TRANSFORMS can be serialized.

micahkemp · ‎06-01-2017

Though the documentation doesn't state this, I wonder if only works for indexed fields. Try setting it to source and see if that gives any results.

If that's the issue, you can use a transform and make use of the SOURCE_KEY directive instead to accomplish what you want.

sillingworth · ‎06-02-2017

Thanks for the answers guys. Turns out though what I have above works, once you reload the extracts with | extract reload=true. Added as an answer.

Can you extract from a field that was extracted in the same stanza?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Can you extract from a field that was extracted in the same stanza?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25