Splunk Search

Field extraction using Splunk dashboard - appending constant text to an extracted field

Explorer

I am wanting to extract a new field from the original source field, based on regex matches. I would then like to prepend/append some constant text to the extracted value. I would like to do this using the field transformation and field extraction dialogs in the Splunk web admin (alternatively I can also modify the light forwarder configs).

As an example, if the log file source contains the text "External", I would like to create a new field called "zone" with the value "Zone-External". I can achieve this via splunk search using the rex and eval commands, like the following:

Example source:
/opt/app/logs/CrowdCounting/cc_ip52_External-20161123.log

Dashboard query:
sourcetype=crowd_count | rex field=source "(?<zone_extract>External|OutsideCorner|Inside|FarSide)" | eval zone="Zone-".zone_extract

Using the field transformation/extraction admin dialogs, I can extract a field containing the matched text (i.e. zone=External), but I am unable to prepend/append any text to the value. Does anyone know how I can achieve this?

Alternatively, it would be also ok if I can do this via the splunkforwarder configs, however it appears this is not possible on a light forwarder. But I may be wrong?

Note: the data is ingested using a light universal splunkforwarder, and I am not able to modify the configs on the indexer at all.

Thanks,
Allan

Esteemed Legend

Go to Settings -> Fields -> Field extractions -> New
Select the app that should own this field extraction from the Destination app list.
Select sourcetype from the Apply to list and enter crowd_count in the named box.
Select inline from the type list and enter (?<zone_extract>External|OutsideCorner|Inside|FarSide) in the Extraction/Transform field.
Click Save.

Go to Settings -> Fields -> Calculated fields -> New
Select the app that should own this field extraction from the Destination app list.
Select sourcetype from the Apply to list and enter crowd_count in the named box.
Enter zone in the Name box.
Enter "Zone-" + zone_extract in the Eval expression box.
Click Save.

0 Karma

Legend

Hi jamesar.
try

sourcetype=crowd_count | rex field=source "(?<zone_extract>External|OutsideCorner|Inside|FarSide)" | eval zone="Zone-"+zone_extract

Bye.
Giuseppe

0 Karma

Explorer

Hmm.. thanks for your effort Joseph. But as I said in the question, my search query listed in my question works correctly. However, I need to achieve this via the admin web interface (Field Transformations/Extractions pages) or alternatively via the Splunk light forwarder configs (although I don't think that is possible without modifying the configs on the Splunk indexer, which I do not have access to).

Thanks anyway,
Allan

0 Karma

Legend

Hi jamesar,
sorry, I didn't understand your need!
every way, you can use the admin web interface:

  • to extract the zone_extract field modifying regex with (?<zone_extract>External|OutsideCorner|Inside|FarSide) on source, or creating a new one with this regex;
  • create the "zone" field using calculated fields "Zone-"+zone_extract.

Bye.
Giuseppe

0 Karma