Splunk Search

Field Extractions

Communicator

Hello,

I am trying to configure a props/transforms and it is not working. it does not come up as an extra field that i can select on the web search.

Can you see anything wrong with this?

The path i am extracting from looks something like /app/ems/envs/U1_LN_DERIV_TMS/logs/trace.log

I want to pick up the directory name in the middle - U1_LN_DERIV_TMS.

I even tried changing my regex to (.*) to see if there was a problem with the regex (which i have tested in the splunk web and worked fine) and it still doesn't come through.

Have i missed something obvious? Have also tried it with and without the quotes around the REGEX

props.conf:

[source::///app/ems/envs/uat/.../logs/trace.log]
REPORT-ems = instanceName

transforms.conf

[instanceName]
SOURCE_KEY = source
REGEX=\/app\/ems\/envs\/uat\/([A-Z0-9_]*)\/logs\/trace.log
FORMAT = emsinstance::$1
Tags (1)
1 Solution

Splunk Employee
Splunk Employee

Too many slashes at the beginning of [source:///...]. The extra slashes are only used (rather unnecessarily anyway) in inputs.conf stanzas, not props.conf.

Also, you can test regexes at the CLI directly using the | rex search command:

... | rex field=source "/app/ems/envs/uat/(?<emsinstance>\w*)/logs/trace.log"

View solution in original post

Super Champion

gkanapathy is right about your problem is. I just had a few thoughts that wouldn't fit in a comment.

Just so you know, you can use named capture groups, like (?<emsinstance>\w+) in your transforms.conf file just like you do using rex. When your using named groups, you don't need the FORMAT line anymore. I found that this approach makes it quicker to jump between interactive testing with rex and then copying the regex into my transforms.conf file.

In this case, you also have the option of using an EXTRACT entry in your props.conf file. I rather prefer this approach, since you can setup everything in one place, and you don't to come up with some arbitrary name transformer name. 😉

Here's an example in props.conf:

[source::/app/ems/envs/uat/*/logs/trace.log]
EXTRACT-fields = [/\\]uat[/\\](?[\w_]+)[/\\]logs[/\\] in source

Notes: I use [/\\] because it will match both unix-style and dos-style paths (if that's a concern for you and you can use that in your source config entry too, although it looks ugly: [source::[/\\]app[/\\]ems[/\\]envs[/\\]uat[/\\]*[/\\]logs[/\\]trace.log]). You may also note that I'm not matching the whole path in the regex, which is because in this case, you really don't need to, your [source::...] stanza is doing that work for you already.

0 Karma

Splunk Employee
Splunk Employee

Too many slashes at the beginning of [source:///...]. The extra slashes are only used (rather unnecessarily anyway) in inputs.conf stanzas, not props.conf.

Also, you can test regexes at the CLI directly using the | rex search command:

... | rex field=source "/app/ems/envs/uat/(?<emsinstance>\w*)/logs/trace.log"

View solution in original post

Communicator

Thanks I will try this - I have already been using rex to test my regex which is why i assumed it was probably a syntax issue rather than a regex issue!

0 Karma