Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can you help me create the regex for an Index ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MattibergB
Path Finder
02-21-2019
11:37 AM
Hi,
We are trying to create an index time field extraction. I tried following the docs, but I am making a mistake somewhere.
It is working as a search time extraction, but we are running into performance issues/would like to use tsats without a datamodel.
The log line is:
Feb 21 20:28:22 server-name %PARSER-5-TESTLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable
props:
[sourcetype]
TRANSFORMS-test = test
transforms:
[test]
REGEX = %(?\S+):\s(?[\S\s]+)
WRITE_META = true
Is anyone able to point me into the right direction?
Thanks in advance!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
02-21-2019
02:50 PM
Hi MattibergB,
You don't necessarily need to have names for the capturing groups 😉
Try this in your transforms.conf
[test]
REGEX = %(\S+):\s([\S\s]+)
FORMAT = $1::$2
WRITE_META = true
Put it on the parsing instance and restart Splunk.
Hope this helps ...
cheers, MuS
PS: don't forget to add fields.conf on your SH like @somesoni2 mentioned
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
02-21-2019
02:50 PM
Hi MattibergB,
You don't necessarily need to have names for the capturing groups 😉
Try this in your transforms.conf
[test]
REGEX = %(\S+):\s([\S\s]+)
FORMAT = $1::$2
WRITE_META = true
Put it on the parsing instance and restart Splunk.
Hope this helps ...
cheers, MuS
PS: don't forget to add fields.conf on your SH like @somesoni2 mentioned
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MattibergB
Path Finder
02-22-2019
03:25 AM
Thank you for pointing me in the right direction!
Matti
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-21-2019
11:44 AM
I hope you're following this documentation.
https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Configureindex-timefieldextraction#Define_ad...
So check these
1) ensure the regex is correct.
2) You need to have a name to the capturing group (name of the field). I don't see that in the config you posted in the question.
3) Add an entry in the fields.conf (see the documentation above).
4) Ensure that you're placing the config in correct Splunk server (heavy forwarder OR indexer whichever comes first on your data flow).
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
