Splunk Search

EXTRACT-field regex in props.conf not extracting multiple values for the match.

bhupalbobbadi
Path Finder

Hi There,

Thank you for stop by and helping.

I've a regex which extracts all URLs and domains from given field, this regex is working fine with the following search query

| makeresults |eval body="An issue on an object you are monitoring-- details here: https://SOME1-ORIONWB01:443/Orion/View.aspx?NetObje?a=b&c=dct=I:54020.<br/>View full alert details here: https://SOME2-ORIONWB01:443/Orion/View.aspx?NetObject=AAT:90460"
|rex max_match=0 field=body "(?<URL>(?<proto>(((https?|ftp|gopher|telnet|file)(:\/\/))|(www\.)))(?<domain>[:\w\.-]+)[\w\&\=\/\?\.\:]+)"

 

but, when I put the same regex in props.conf (Settings>> Fields » Field extractions » domain_extractor, it is extracting only first URL and domain.

I see the manual search "has max_match=0", I could not find similar config for "Filed extractions", Any suggestions? if there is any such config  OR do we need to do this in different way?

TIA.

 

 

 

 

Labels (2)
0 Karma
1 Solution

thambisetty
SplunkTrust
SplunkTrust

You can’t extract field from another field using props.conf

you can only extract using _raw.

to get max_match worked in config files you should have stanza in transforms.conf

https://community.splunk.com/t5/Archive/where-can-i-set-max-match-option/td-p/29299

————————————
If this helps, give a like below.

View solution in original post

thambisetty
SplunkTrust
SplunkTrust

You can’t extract field from another field using props.conf

you can only extract using _raw.

to get max_match worked in config files you should have stanza in transforms.conf

https://community.splunk.com/t5/Archive/where-can-i-set-max-match-option/td-p/29299

————————————
If this helps, give a like below.

bhupalbobbadi
Path Finder

Thank you for quick help. It worked.

What I did is as follows.

1. Moved the regex to tranforms.conf --> where we can add MV_ADD =1 for REGEX.

2. Added Field Extraction with reference to transforms stanza.

 

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...