Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field transformation on source not working

archananaveen
Explorer
‎10-24-2017 12:09 PM

Hi There,

There is no content in dummy field although the regex works fine. Please could you help me with this?

Type: Regex-based
Regular expression: "(\/\w+){2}\/(?.?)\/"

Tried "(\/\w+){2}\/(?.?)\/" in source

Source Key: source

Checked create multi valued fields.

same source field content is as below:
/folder1/folder2/SAMPLE1/Test.log
/folder1/folder2/SAMPLE2/Test.log

0 Karma
Reply

archananaveen
Explorer
‎10-30-2017 03:46 PM

This worked after | extract reload=true. However, output is displayed at times and doesn't show any at other times. Is there any way to extend the search time or what is the alternative way to fix this problem?
index = * sourcetype=xxxx| dedup pathName | sort pathName | table pathName

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-24-2017 01:45 PM

There may be typos in your regular expressions. Please edit your question and put the regex strings inside backtics ('`') so all characters are preserved.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

archananaveen
Explorer
‎10-24-2017 03:02 PM

Regular expression inside the brackets: ('(\/\w+){2}\/(?.*?)\/')

In other blogs there is a mention of adding fields to *.conf's I do not have access for all those. Is there any workaround with UI Field transformers ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-25-2017 06:17 AM

That regex has an error in it. The leading question mark in the "(?.*?)" bit is out of place. Perhaps it's supposed to be field extraction? If so, putting the entire regex inside back ticks will make it visible (or highlight it and click the "101010" button.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

archananaveen
Explorer
‎10-25-2017 07:31 AM

Here is the regex

https://regex101.com/r/UnBcR4/1

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-25-2017 08:24 AM

Have you tried this alternative regex (\/\w+){2}\/(?<dummy>[^\/]*)\/?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

archananaveen
Explorer
‎10-25-2017 10:10 AM

this is not working, is there any different method to display the output of this transformation ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-25-2017 12:22 PM

The /opt/splunk/bin/pcregextest command will show how Splunk is interpreting your regex string, which is likely to be different from web pages like regex101.com.

What is the context for this regex? Can you share the stanza in which it is used?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...