Splunk Search

How can I determine the regex used for an extraction in a specific event?

pinVie
Path Finder

Hello all,

One problem that I frequently have is that I need to know what extraction was used for a specific events. It might happen, that the extraction regex works in 99% of all case,s but then I spot some events where the extractions failed - in most cases it is just a minor fix in the regex - e.g., replacing [A-Za-z] with a \w because I missed that this field may contain numbers or something the of the like.

Finding the actual EXTRACT in the props.conf takes more time then fixing it. Of course I can start with the sourcetype, but if I have 20 or more (not so perfectly named) EXTRACTs, that's quite hard. Right now I have the "convenient" problem that an already EXTRACT matches perfectly to similar event - I just don't know which one 🙂

I'd really appreciate some tips/hints.

Thx a lot !!

0 Karma

jeffland
SplunkTrust
SplunkTrust

Unfortunately, there is no way to do this for an individual event that I know of, but you can have a look at the search log (job inspector - search.log) to see all extractions done for the search.
In the long run, you will have to start naming your extractions sensibly, because you can only ever identify them by either their name or their content. A good naming convention is of course always a good idea, but it becomes a necessity in growing environments.

A good thing is that you do not have to use the web UI to look/search for them, you can use btool (run from %SPLUNK_HOME/bin):

./splunk cmd btool props list

will show you all definitions in all props.conf across your system. Combine this with | grep, and (with a nice naming convention) you have all you need.
btool can also consider app and user context with --app= and --user=, and it can show you which file the settings originate from with --debug. Check the docs here.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...