Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you extract from a field that was extracted in the same stanza?

sillingworth
Path Finder
‎06-01-2017 07:13 AM

Using the docs here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Propsconf, specifically this section:

* Use '<regex> in <src_field>' to match the regex against the values of a
  specific field.  Otherwise it just matches against _raw (all raw event
  data).

I came up with this:

EXTRACT-metric_parts = : (<metric type=".*?" name=")?(?<metric_path>.*?):(?<metric_name>.*?)[="]( value=")?(?<value>.*?)[" ]
EXTRACT-test = (?<metric_test>.*) in metric_path

All the field extractions in metric_parts work fine, but metric_test doesn't appear (it should be a duplicate of metric_path, according to my understanding of the readme).

Is there a limitation I'm missing here? Can src_field only be one of the automatic fields like source?

0 Karma
Reply

sillingworth
Path Finder
‎06-02-2017 04:39 AM

The extractions in the question are actually correct, but it seems a full refresh isn't enough to pull in the updated props.conf (I have no idea why).

Sticking | extract reload=true on the end of my search revealed the new fields.

0 Karma
Reply

sillingworth
Path Finder
‎06-02-2017 06:13 AM

Actually scratch that. The original config started working for me, which I put down to the reload=true, but if I then add a third line extracting a field from within metric_test it still doesn't appear, whereas if I add it based on _raw it does.

I wonder if something is required to make Splunk aware that it can use metric_test as the source field.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-01-2017 01:26 PM

It appears that you need it named twice so you can use fieldalias for that:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields

0 Karma
Reply

woodcock
Esteemed Legend
‎06-01-2017 01:24 PM

Switch from Extract to Report in props.conf:

REPORT-ArbitraryButUniqueStringHere = metric_parts, test

Then in transforms.conf this:

[metric_parts]
REGEX = (<metric type=".*?" name=")?(?<metric_path>.*?):(?<metric_name>.*?)[="]( value=")?(?<value>.*?)[" ]
[test]
SOURCE_KEY = metric_path
REGEX = (?<metric_test>.*)
Reply

sillingworth
Path Finder
‎06-05-2017 07:55 AM

What's the reason it has to be done that way? The docs suggest it's doable in extract.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-05-2017 10:16 PM

Evert EXTRACT happen simultaneously, as does every SEDCMD and many other things, but REPORT and TRANSFORMS can be serialized.

0 Karma
Reply

micahkemp
Champion
‎06-01-2017 07:27 AM

Though the documentation doesn't state this, I wonder if only works for indexed fields. Try setting it to source and see if that gives any results.

If that's the issue, you can use a transform and make use of the SOURCE_KEY directive instead to accomplish what you want.

0 Karma
Reply

sillingworth
Path Finder
‎06-02-2017 04:40 AM

Thanks for the answers guys. Turns out though what I have above works, once you reload the extracts with | extract reload=true. Added as an answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...