Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure props.conf for both of my search-time extractions (from another existing field)?

skender27
Contributor
‎02-02-2016 07:13 AM

Hi,

I'd rather need to know how to put in .conf files both the following (search-time) extractions.
sql_where_clause is an existing field.
Should I put one by one in props.conf, or it is better to use transforms.conf?

Thanks,
Skender

 |  rex field=sql_where_clause  "ccti_class = (?P<class>.*?) AND ccti_category = '(?P<category>.*?)' "
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skender27
Contributor
‎02-04-2016 08:18 AM

I resolved it using only props.conf:

[my_sourcetype]
...
...
EXTRACT-my_extractions = ccti_class = \'(?<class>[\w\s]+)\'.*ccti_category = \'(?<category>[\w\s]+)\'

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skender27
Contributor
‎02-04-2016 08:18 AM

I resolved it using only props.conf:

[my_sourcetype]
...
...
EXTRACT-my_extractions = ccti_class = \'(?<class>[\w\s]+)\'.*ccti_category = \'(?<category>[\w\s]+)\'
0 Karma
Reply
Solved! Jump to solution

skender27
Contributor
‎02-04-2016 02:40 AM

Hi,

Thanks for your comment!

I am trying, but could you suggest me the optimized regex to extract the two fields (class and category) to insert in the transforms.conf?
Here is the sample event:

ccti_class = 'Service Forniture' AND ccti_category = 'Computer science' AND ( ticket_type = 'Change Request' and ticket_impact_code = '2' ) AND ( ticket_type = 'Change Request' and ticket_urgency_code = '1' )

0 Karma
Reply
Solved! Jump to solution

skender27
Contributor
‎02-02-2016 09:05 AM

Could it be correct this way?

transforms.conf
[class_category]
REGEX = <regex expression to extract two fields>
SOURCE_KEY = field:sys_where_clause


props.conf
[my_sourcetype]
REPORT-class_category = class_category
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-02-2016 10:18 AM

That will be correct if you want to use transforms.conf. For just props.conf, see this

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextract...

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...