Splunk Search

EXTRACT-field regex in props.conf not extracting multiple values for the match.

bhupalbobbadi
Path Finder

Hi There,

Thank you for stop by and helping.

I've a regex which extracts all URLs and domains from given field, this regex is working fine with the following search query

| makeresults |eval body="An issue on an object you are monitoring-- details here: https://SOME1-ORIONWB01:443/Orion/View.aspx?NetObje?a=b&c=dct=I:54020.<br/>View full alert details here: https://SOME2-ORIONWB01:443/Orion/View.aspx?NetObject=AAT:90460"
|rex max_match=0 field=body "(?<URL>(?<proto>(((https?|ftp|gopher|telnet|file)(:\/\/))|(www\.)))(?<domain>[:\w\.-]+)[\w\&\=\/\?\.\:]+)"

 

but, when I put the same regex in props.conf (Settings>> Fields » Field extractions » domain_extractor, it is extracting only first URL and domain.

I see the manual search "has max_match=0", I could not find similar config for "Filed extractions", Any suggestions? if there is any such config  OR do we need to do this in different way?

TIA.

 

 

 

 

Labels (2)
0 Karma
1 Solution

thambisetty
SplunkTrust
SplunkTrust

You can’t extract field from another field using props.conf

you can only extract using _raw.

to get max_match worked in config files you should have stanza in transforms.conf

https://community.splunk.com/t5/Archive/where-can-i-set-max-match-option/td-p/29299

————————————
If this helps, give a like below.

View solution in original post

thambisetty
SplunkTrust
SplunkTrust

You can’t extract field from another field using props.conf

you can only extract using _raw.

to get max_match worked in config files you should have stanza in transforms.conf

https://community.splunk.com/t5/Archive/where-can-i-set-max-match-option/td-p/29299

————————————
If this helps, give a like below.

bhupalbobbadi
Path Finder

Thank you for quick help. It worked.

What I did is as follows.

1. Moved the regex to tranforms.conf --> where we can add MV_ADD =1 for REGEX.

2. Added Field Extraction with reference to transforms stanza.

 

0 Karma
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...