Splunk Search

How do you write a Regular expression in props.conf for only one field?

rakeshksingh
New Member

Hi All,

How do I write a regular expression in props.conf for only one field ?

like rex field=ab "regex"

thanks
Rakesh

0 Karma

dkeck
Influencer

HI,

if you want to add a search time field extraction within props.conf, just use EXTRACT

[your-sourcetype]    
EXTRACT-<class> = [<regex>|<regex> in <src_field>]
    * Used to create extracted fields (search-time field extractions) that do
      not reference transforms.conf stanzas.

for reference see : http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Propsconf

Please keep in mind that this will require a refresh/debug= http[s]://[splunkweb hostname]:[splunkweb port]/debug/refresh

0 Karma

rakeshksingh
New Member

Hi

tried but no luck.

[your-sourcetype]

EXTRACT-ab1 = [(?{.) in ab]

Could you take a look and guide me which part i am missing ?

0 Karma

FrankVl
Ultra Champion

Those square brackets shouldn't be there.

0 Karma

rakeshksingh
New Member

Thanks for response,

in ab field, data is on json format

0 Karma

rakeshksingh
New Member

tried below also but no luck.

EXTRACT-ab1 = (?{.) in ab

ab as field name

and tried with props and conf but no luck

[mysourcetype]

REPORT-myextract = myextract

Then in transforms.conf:

[myextract]

SOURCE_KEY = ab

REGEX = regex

0 Karma

FrankVl
Ultra Champion

Your EXTRACT doesn't look like a valid regex (but perhaps some characters went missing by posting it here without using the post as code option (use the 101010 button in the message editor toolbar, or enclose the code in `)

Your transforms is impossible to comment on without posting the actual regex. Does that include named capturing groups (e.g. (?<fieldname>regex)? Otherwise you also need a FORMAT setting to specify what field(s) the capture group(s) should be mapped to.

0 Karma

dkeck
Influencer

Do you have an example of the data?

Did you test your regex? for example here: https://regex101.com/

Syntax for EXTRACT should look like this :

EXTRACT-threadid = (?<threadid>[0-9A-Fa-f]+)\s+
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...