Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Conditional Field Extraction via props and transforms

KarunK
Contributor
‎03-26-2013 10:56 PM

Hi All,

I have a couple searches like below to extract field based on a condition of existence of a string in the log.

index="access_log" protocol="http" | rex field=url "<field_extraction_01>"
index="access_log" protocol="rtsp" | rex field=url "<field_extraction_02>"
index="access_log" protocol="rtmp" | rex field=url "<field_extraction_03>"

How will I implement this search time field extraction using props OR transforms ?

Thanks in Advance.

Cheers

KK

Tags (2)
0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎04-03-2013 09:15 PM

You can use either props or transforms. But in any case make sure that you scope the extraction on the field of interest. If you can't produce a regex that alternates on protocol, you may need to have separate regexes for each case. Here's an example using EXTRACT-xxx from props.conf. The "in url" string after the regex, narrows the scope of the extraction only on the url field.

[my_stanza]
EXTRACT-router= ...
EXTRACT-url_asset_01 = my_regex_01 in url
EXTRACT-url_asset_02 = my_regex_03 in url
EXTRACT-url_asset_03 = my_regex_03 in url

0 Karma
Reply

kristian_kolb
Ultra Champion
‎03-26-2013 11:07 PM

I guess that you'd have to EXTRACT them for all events, or attempt to. Naturally they would fail in the case of a different protocol.

If you could provide a few sample events, it would be easier to see if you need one or more EXTRACTs. Depending on the look of your events you could perhaps do something like;

[sourcetype]
EXTRACT-woo = proto=(http|rtsp|rtmp)\s+url=(?<field>\w+)[\w.-]+\s

/K

0 Karma
Reply

KarunK
Contributor
‎04-03-2013 08:58 PM

As requested I have added the props and sample events. Based on protocol I need two regex to extract the asset value from the field "URL".

EXTRACT-router=^(?P\S+?)\s+(?P\S+?)\s+(?P\S+?)\s+(?P

10.11.12.13 WMPlayer 2013-04-04 03:49:59 rtsp://XXXXX.com/channelA?SIGV=adbfvbavbsbmsdbsvbha67v8776avavkjah89 RTSP 404 -
10.11.12.14 Mozilla 2013-04-04 03:49:59 http://XXXXX.com/ABC/123/456/DEFGHGJGJG/DragonsGate-270x390.jpg HTTP 302 -

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...