- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- EXTRACT-field regex in props.conf not extracting m...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi There,
Thank you for stop by and helping.
I've a regex which extracts all URLs and domains from given field, this regex is working fine with the following search query
| makeresults |eval body="An issue on an object you are monitoring-- details here: https://SOME1-ORIONWB01:443/Orion/View.aspx?NetObje?a=b&c=dct=I:54020.<br/>View full alert details here: https://SOME2-ORIONWB01:443/Orion/View.aspx?NetObject=AAT:90460"
|rex max_match=0 field=body "(?<URL>(?<proto>(((https?|ftp|gopher|telnet|file)(:\/\/))|(www\.)))(?<domain>[:\w\.-]+)[\w\&\=\/\?\.\:]+)"
but, when I put the same regex in props.conf (Settings>> Fields » Field extractions » domain_extractor, it is extracting only first URL and domain.
I see the manual search "has max_match=0", I could not find similar config for "Filed extractions", Any suggestions? if there is any such config OR do we need to do this in different way?
TIA.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
You can’t extract field from another field using props.conf
you can only extract using _raw.
to get max_match worked in config files you should have stanza in transforms.conf
https://community.splunk.com/t5/Archive/where-can-i-set-max-match-option/td-p/29299
If this helps, give a like below.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
You can’t extract field from another field using props.conf
you can only extract using _raw.
to get max_match worked in config files you should have stanza in transforms.conf
https://community.splunk.com/t5/Archive/where-can-i-set-max-match-option/td-p/29299
If this helps, give a like below.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Thank you for quick help. It worked.
What I did is as follows.
1. Moved the regex to tranforms.conf --> where we can add MV_ADD =1 for REGEX.
2. Added Field Extraction with reference to transforms stanza.
Register for FREE Today!
We've made .conf21 totally virtual
and totally FREE! Our completely
online experience will run from 10/19
through 10/20 with some additional
events, too!
Learn More or Register Now >
