Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me create the regex for an Index time field extraction?

MattibergB
Path Finder
‎02-21-2019 11:37 AM

Hi,

We are trying to create an index time field extraction. I tried following the docs, but I am making a mistake somewhere.

It is working as a search time extraction, but we are running into performance issues/would like to use tsats without a datamodel.

The log line is:

Feb 21 20:28:22 server-name %PARSER-5-TESTLOG_LOGGEDCMD: User:unknown user  logged command:!exec: enable

props:

[sourcetype]
TRANSFORMS-test = test

transforms:

[test]
REGEX = %(?\S+):\s(?[\S\s]+)
WRITE_META = true

Is anyone able to point me into the right direction?

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎02-21-2019 02:50 PM

Hi MattibergB,

You don't necessarily need to have names for the capturing groups 😉

Try this in your transforms.conf

[test]
REGEX = %(\S+):\s([\S\s]+)
FORMAT = $1::$2
WRITE_META = true

Put it on the parsing instance and restart Splunk.

Hope this helps ...

cheers, MuS

PS: don't forget to add fields.conf on your SH like @somesoni2 mentioned

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎02-21-2019 02:50 PM

Hi MattibergB,

You don't necessarily need to have names for the capturing groups 😉

Try this in your transforms.conf

[test]
REGEX = %(\S+):\s([\S\s]+)
FORMAT = $1::$2
WRITE_META = true

Put it on the parsing instance and restart Splunk.

Hope this helps ...

cheers, MuS

PS: don't forget to add fields.conf on your SH like @somesoni2 mentioned

0 Karma
Reply
Solved! Jump to solution

MattibergB
Path Finder
‎02-22-2019 03:25 AM

Thank you for pointing me in the right direction!

Matti

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-21-2019 11:44 AM

I hope you're following this documentation.
https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Configureindex-timefieldextraction#Define_ad...

So check these
1) ensure the regex is correct.
2) You need to have a name to the capturing group (name of the field). I don't see that in the config you posted in the question.
3) Add an entry in the fields.conf (see the documentation above).
4) Ensure that you're placing the config in correct Splunk server (heavy forwarder OR indexer whichever comes first on your data flow).

Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
Top