Splunk Search

Getting the wrong fields extracted from my props and transforms conf files

Sparky1
Explorer

So i'm trying to extract and ip address from a multi-value field
and my transforms stanza is something along these lines

transforms.conf
[ip]
REGEX = ((?:(?:\d{1,3}.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z.]+)?(?:::)?)|(?:::[\dA-Fa-f.]{1,15})|(?:::)]*)
FORMAT = IP::$1

props.conf

[host::hostname]
TIME_FORMAT = %a %b %d %H:%M:%S %T %Y
KV_MODE = none
SHOULD_LINEMERGE = false
REPORT-ip = ip

So this works, however it also extracts the source, sourcetype and host values in my new ip field.
So i have random fields that look like IP= source::source|host::host|sourcetype.

I could really use some help in trying to figure out why these extra values are being extracted.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Are you on a single server instance?

What if you try using only props? Something like below in props.conf in place of REPORT...

 EXTRACT-ip = (?<ip>(?:(?:\d{1,3}.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z.]+)?(?:::)?)|(?:::[\dA-Fa-f.]{1,15})|(?:::)]*)
0 Karma

Sparky1
Explorer

Thank you, i tried this and I'm still getting the same results. Although I've noticed that my issue only occurs when I run a search with data from 2 sources.
One of the sources is the one i want my extractions to match against
and the other source shouldn't be getting matched

My props stanza should only be matching hosts like this:
[host::(?-i)hostname1*]

but it's also matching and performing extractions(incorrectly) against the hosts that don't match my stanza

0 Karma

jkat54
SplunkTrust
SplunkTrust

Do you have any other props defined that are overriding / adding to the mix?

 ./splunk btool props list --debug
0 Karma

Sparky1
Explorer

It's very possible. I just ran the debug command you suggested, and I've got a couple thousand lines to sift through

0 Karma

justinatpnnl
Communicator

Can you provide a sample event?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...