Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

EXTRACT-field regex in props.conf not extracting multiple values for the match.

bhupalbobbadi
Path Finder
โ€Ž08-04-2020 10:44 AM

Hi There,

Thank you for stop by and helping.

I've a regex which extracts all URLs and domains from given field, this regex is working fine with the following search query

| makeresults |eval body="An issue on an object you are monitoring-- details here: https://SOME1-ORIONWB01:443/Orion/View.aspx?NetObje?a=b&c=dct=I:54020.<br/>View full alert details here: https://SOME2-ORIONWB01:443/Orion/View.aspx?NetObject=AAT:90460"
|rex max_match=0 field=body "(?<URL>(?<proto>(((https?|ftp|gopher|telnet|file)(:\/\/))|(www\.)))(?<domain>[:\w\.-]+)[\w\&\=\/\?\.\:]+)"

 

but, when I put the same regex in props.conf (Settings>> Fields ยป Field extractions ยป domain_extractor, it is extracting only first URL and domain.

I see the manual search "has max_match=0", I could not find similar config for "Filed extractions", Any suggestions? if there is any such config  OR do we need to do this in different way?

TIA.

 

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
Champion
โ€Ž08-04-2020 12:15 PM

You canโ€™t extract field from another field using props.conf

you can only extract using _raw.

to get max_match worked in config files you should have stanza in transforms.conf

https://community.splunk.com/t5/Archive/where-can-i-set-max-match-option/td-p/29299

โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
Champion
โ€Ž08-04-2020 12:15 PM

You canโ€™t extract field from another field using props.conf

you can only extract using _raw.

to get max_match worked in config files you should have stanza in transforms.conf

https://community.splunk.com/t5/Archive/where-can-i-set-max-match-option/td-p/29299

โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution

bhupalbobbadi
Path Finder
โ€Ž08-04-2020 12:51 PM

Thank you for quick help. It worked.

What I did is as follows.

1. Moved the regex to tranforms.conf --> where we can add MV_ADD =1 for REGEX.

2. Added Field Extraction with reference to transforms stanza.

 

0 Karma
Reply