Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Having REGEX Problems

usersnation
Explorer
‎09-20-2010 11:04 PM

Sorry for the cross post but after posting i saw a recommendation to use this forum instead of splunk.com

I am having issues getting REGEX to work my sample input is a simple two column csv for testing purposes (date,fakeip) the data looks like this:

8/31/2010 12:12:12,1.1.1.1
9/1/2010 12:12:12,1.1.1.1
9/2/2010 12:12:12,1.1.1.1
9/3/2010 12:12:12,1.1.1.1

my config files are as follows

props.conf

[c_netflowdata]
TRANSFORMS-foo=c_regex

Over the course of the past 8 hours I have tried a large number of different transforms files none which seem to do anything useful so there is obviously something that i am missing from the splunk documentation and peoples examples on this forum below are a few transforms.conf examples that i have tried. The have all produce varying results none of which have resulted in selectable fields in the Search app's field pick'em box

transforms.conf

[c_regex]
REGEX=(\d+/\d+/\d+\s\d+:\d+:\d+)
FORMAT=thedate::$1

[c_regex]
REGEX=(\d+/\d+/\d+\s\d+:\d+:\d+).*
FORMAT=thedate::$1

[c_regex]
REGEX=[^,],(\d+\.\d+\.\d+\.\d+)    
FORMAT=src_ip::$1

[c_regex]
REGEX=(\d+/\d+/\d+\s\d+:\d+:\d+),(\d+\.\d+\.\d+\.\d+)
FORMAT=thedate::$1 src_ip::$2

I have successfully parsed the data using DELIMS and FIELDS - however there is a specific reason that I am trying to use REGEX - i.e. this is the first step in solving a larger issue that i am trying to address

Any help is appreciated, thanks in advance

Tags (1)
Reply

Genti
Splunk Employee
Splunk Employee
‎09-21-2010 09:51 PM

then you definitely do not want to use index time extractions

0 Karma
Reply

usersnation
Explorer
‎09-21-2010 01:13 PM

yes thedate is just an example sorry for the confusion

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-21-2010 12:19 AM

Do you really want thedate as a field, or is that just an example? If your data has been read in correctly, you should be able to use _time and format it out in any way you want, without using that. Otherwise, see answers below.

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎09-20-2010 11:33 PM

Yeap, this should work: [c_regex]
REGEX=(\d+/\d+/\d+\s\d+:\d+:\d+)
FORMAT=thedate::$1
WRITE_META=true

Make sure that the data is actually coming in with sourcetype c_netflow.

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-20-2010 11:25 PM

When you specify your regex using TRANSFORMS- in props.conf, this is run at index time and has different properties than search time regexes (specifically, the output needs to be written to _meta with WRITE_META=true). You can either specify it as REPORT- in props.conf, and refer to transforms.conf. It's even easier to specify inline in props.conf:

[c_netflowdata]
EXTRACT-foo = (?<thedate>\d+/\d+/\d+\s\d+:\d+:\d+),(?<src_ip>\d+\.\d+\.\d+\.\d+)
Reply

usersnation
Explorer
‎09-21-2010 01:20 PM

I haven't attempted REPORT - but EXTRACT gets the job done. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...