Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field Extraction Question

Ant1D
Motivator
‎09-07-2010 02:50 PM

Hey,

I am having a look at transforms.conf and props.conf configuration files and wondering about the following question:

How do you do a field extraction from the source field (i.e. field=source) at search time? (An example of this would be great to see)

Thanks in advance for your help.

To add to what I said above:

The source field displays a file path when you run a search in Splunk. There is a word within that file path which I want Splunk to extract and place in a field called TheWord. How can I achieve this using props.conf and/or transforms.conf?

0 Karma
Reply

wollinet
Path Finder
‎03-09-2011 02:54 PM

You just need to use SOURCE_KEY in the transform.

props.conf:

[source-extract]
REPORT-sourcefield = source-transform

transform.conf:

[source-transform]
SOURCE_KEY = source
REGEX = .......
FORMAT = fieldname=$1
0 Karma
Reply

Brian_Osburn
Builder
‎09-07-2010 03:15 PM

You can set up the just the props.conf to extract fields at search time.

I'm going to use my environment as an example. Our Apache logs are pipe | delimited. So I have the following in my props.conf:

[prod_apache_logs]

EXTRACT- = (?P[\d]+.[\d]+.[\d]+.[\d]+)\|[(?P[\d]{2}\/[\w]{3}\/[\d]{4}):(?P[\d]{2}:[\d]{2}:[\d]{2})\s-[\d]+]\|(?P[\d]+)\|\"(?P[\S]+)\s(?P\/[\S]+)\s(?P.)\"\|(?P[\d]+)\|(?P[\W\d]+)\|(?P.)\|(?P.*)

prod_apache_logs = sourcetype of my apache logs.

Easiest way to test this is to use the "rex" command in the search. IE, I would use something like this:

sourcetype="prod_apache_logs" | rex "(?P[\d]+.[\d]+.[\d]+.[\d]+)\|[(?P[\d]{2}\/[\w]{3}\/[\d]{4}):(?P[\d]{2}:[\d]{2}:[\d]{2})\s-[\d]+]\|(?P[\d]+)\|\"(?P[\S]+)\s(?P\/[\S]+)\s(?P.)\"\|(?P[\d]+)\|(?P[\W\d]+)\|(?P.)\|(?P.*)"

Hope this helps!

0 Karma
Reply

Ant1D
Motivator
‎09-07-2010 04:50 PM

Have a look at http://answers.splunk.com/questions/6511/field-extraction-mystery for an example source

0 Karma
Reply

Brian_Osburn
Builder
‎09-07-2010 04:39 PM

If you provide an example of your source, I'll write up the exact command.

In my case, my source is something like this: /opt/http/logs/www.mysite.com-access.log.

Using ltrim / rtrim, I extract out the /opt/http/logs and the -access.log to leave me with www.mysite.com:
..| eval web_site=ltrim(source,"/opt/httpd/logs") | eval web_site=rtrim(web_site,"-access.log")

0 Karma
Reply

Ant1D
Motivator
‎09-07-2010 04:10 PM

How would I do it using eval and ltrim/rtrim?

0 Karma
Reply

Brian_Osburn
Builder
‎09-07-2010 04:00 PM

Okay, I just read your update. I'm not sure how you would do it in in props.conf or transforms.conf.. I know you can do it via the standard search using eval and ltrim / rtrim..

0 Karma
Reply

Ant1D
Motivator
‎09-07-2010 03:57 PM

I forgot to say thanks for your help. I added more to my question above which will hopefully confirm what I am seeking

0 Karma
Reply

Ant1D
Motivator
‎09-07-2010 03:47 PM

The data that I want to extract is not in _raw but it is in source. Therefore I don't believe this will work. I tried this and it did not work as expected.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...