Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extraction in props.conf....still allowed?

dcroteau
Splunk Employee
Splunk Employee
‎05-14-2010 02:37 PM

Hi All,

I need a sanity check. This extraction seemed to work in 4.0, Can someone help? mac_address and source_ip do not show up

Example Event:

Tue May 11 18:00:32 EDT 2010 prod : xwel22p user=steve ERROR [THREAD]WebContainer REQUEST for 10.12.121.1 [NAMESPACE]com.health .ava.reporting.Ava.reporting.AVAReportingController from 00:1d:e0:24:a1:02 System reassigned Call :: Reason Code = '000012' ICM Call Key = '14949526813' :: Host Key = '21'

So I want to extract 2 fields in Red above: source_IP and mac_address from the source: logtest.log and sourcetype tix.

Stanza in props.conf. (I just put it in the etc/system/local/props.conf to test):

[source::.../logtest.log]

sourcetype = tix

EXTRACT-0 = REQUEST for (?sourceip>\d+.\d+.\d+.\d+) from (?macaddress>00:*?:\w+:\w+:\w+:\w+:\w+)

NOTE: I know that sourceip and macaddress need the "<", but answers.splunk.com will blank out the field name....must be a html thing.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-30-2010 05:11 AM

use the "code" formatting button in the answers.splunk.com editor window to fix your formatting and display literal text please.

0 Karma
Reply

Lowell
Super Champion
‎05-14-2010 08:50 PM

Try using:

[source::.../logtest.log]
sourcetype = tix

[tix]
EXTRACT-0 = (?i)\b(?P<sourceip>\d+\.\d+\.\d+\.\d+) .*? from (?P<macaddress>[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2})\b

(You can indent 4 spaces to use "code" mode.. Or use backticks)

Reply

smisplunk
Path Finder
‎05-14-2010 06:07 PM

First: You can use & l t ; all mushed together to get a < symbol.

Next, I would say that your regex doesn't have enough room for the stuff that appears between the IP address and the MAC address within the line. Your regex says "inbetween a dotted IP address and a MAC address is the string ' from ' and nothing more". I think if you added some wildcard characters to your regex between the two matches, you'd be in good shape. I've used EXTRACT phrases in props.conf without issue.

You may also wish to use the regex search operator to fine tune your regular expression before putting it in the file. Issue a search generic enough to find log events like the one you've excerpted above, then | regex <your_regex_here>. The named fields you've extracted would then appear in the field picker area on the bottom left.

Finally, you may wish to escape the . characters in the regex for the sourceip field; . by itself means "match any character", so you'd also find strings like 1a2b3c4.

0 Karma
Reply

Lowell
Super Champion
‎05-14-2010 08:45 PM

I think you mean rex not regex. The regex search command is used to filter in/out events that match a regex. But with rex you can actually test extract values. Once you have a working regex, you can copy and past it into your props.conf file.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...