Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Getting the wrong fields extracted from my props and transforms conf files

Sparky1
Explorer
‎07-18-2019 12:53 PM

So i'm trying to extract and ip address from a multi-value field
and my transforms stanza is something along these lines

transforms.conf
[ip]
REGEX = ((?:(?:\d{1,3}.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z.]+)?(?:::)?)|(?:::[\dA-Fa-f.]{1,15})|(?:::)]*)
FORMAT = IP::$1

props.conf

[host::hostname]
TIME_FORMAT = %a %b %d %H:%M:%S %T %Y
KV_MODE = none
SHOULD_LINEMERGE = false
REPORT-ip = ip

So this works, however it also extracts the source, sourcetype and host values in my new ip field.
So i have random fields that look like IP= source::source|host::host|sourcetype.

I could really use some help in trying to figure out why these extra values are being extracted.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-18-2019 09:38 PM

Are you on a single server instance?

What if you try using only props? Something like below in props.conf in place of REPORT...

 EXTRACT-ip = (?<ip>(?:(?:\d{1,3}.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z.]+)?(?:::)?)|(?:::[\dA-Fa-f.]{1,15})|(?:::)]*)
0 Karma
Reply

Sparky1
Explorer
‎07-19-2019 07:21 AM

Thank you, i tried this and I'm still getting the same results. Although I've noticed that my issue only occurs when I run a search with data from 2 sources.
One of the sources is the one i want my extractions to match against
and the other source shouldn't be getting matched

My props stanza should only be matching hosts like this:
[host::(?-i)hostname1*]

but it's also matching and performing extractions(incorrectly) against the hosts that don't match my stanza

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-19-2019 07:36 AM

Do you have any other props defined that are overriding / adding to the mix?

 ./splunk btool props list --debug
0 Karma
Reply

Sparky1
Explorer
‎07-19-2019 11:06 AM

It's very possible. I just ran the debug command you suggested, and I've got a couple thousand lines to sift through

0 Karma
Reply

justinatpnnl
Communicator
‎07-18-2019 09:20 PM

Can you provide a sample event?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...