Splunk Search

Create a new field from a field-extraction

Explorer

Hello:

I have an existing field name "filename" (extracted from Splunk) in this format abcdefg.000000AB.DDD01A222222222222222222.xml. I want to create a new field that extracts the characters in the position of "DDD01A" in the field above.

I do not want to lose the existing "filename" extraction - I want to add another column with the new value.

The Extract New Fields GUI did not work. Can someone please advise?

Thanks!

0 Karma
1 Solution

Champion

|eval new=susbstr(filename,18,6)

View solution in original post

SplunkTrust
SplunkTrust

I'm assuming that you want to do an automatic field extraction. This is possible by modifying the regex that is used for the field extraction. I'm going to assume that you have part of the regex that extract the filename field already in the regex. To do what you have described, modify the regex something like the following:

(?P<filename>\w+\.\w+\.(?P<new>\w{6})\w+\.xml)

This will allow the 6 character portion that you wanted to extract within the other field (filename). You haven't described the complete field extraction for either of the fields, so I'm just going by what is there as an example. You can find an example of this type of field extraction in my .conf2017 presentation:

http://conf.splunk.com/files/2017/slides/beyond-regular-regular-expressions-v20.pdf

It starts on slide 76 in the PDF. The video is also available at:

http://conf.splunk.com/files/2017/recordings/beyond-regular-regular-expressions-v2-point-0.mp4

That part of the presentation starts at 38:33. These are both going to initiate downloads.

0 Karma

SplunkTrust
SplunkTrust

First, try this in a search and verify it pulls what you want.

| rex field=filename "^[^\.]*\.[^\.]*\.(?<mynewfield>.{6})"

Assuming that selects what you want, then in transforms.conf you want a stanza to extract your field...

[mynewfieldstanza]

SOURCE_KEY = filename 
REGEX      = ^[^\.]*\.[^\.]*\.(?<mynewfield>.{6})
FORMAT     = mynewfield::$1

... and in props.conf in the stanza for the appropriate source type you need to tell the system to execute that stanza, after you execute whatever extracts filename.

That could be a line in the mysourcetype stanza that says,

[mysourcetype]
TRANSFORMS-foo1 myfilenamestanza 

TRANSFORMS-foo2 mynewfieldstanza 

or

REPORT_foo2  mynewfieldstanza  

or

EXTRACT-foo2 mynewfieldstanza
0 Karma

Contributor

Hi @DalJeanis

i am using a similar search to extract field from the "source" field.
my query is index=xyz sourcetype="abc" host="hostname" |rex field=source ".?\bxyz\b\/(?.?)\/"

But when i add the same extraction in the field extractions from the settings tab i add the expression as

field=source ".?\bxyz\b\/(?.?)\/"

when i do this the extraction doesnt work

0 Karma

Champion

|eval new=susbstr(filename,18,6)

View solution in original post

Explorer

Thanks for the feedback!

0 Karma