Splunk Search

How to configure props.conf for both of my search-time extractions (from another existing field)?

Contributor

Hi,

I'd rather need to know how to put in .conf files both the following (search-time) extractions.
sql_where_clause is an existing field.
Should I put one by one in props.conf, or it is better to use transforms.conf?

Thanks,
Skender

 |  rex field=sql_where_clause  "ccti_class = (?P<class>.*?) AND ccti_category = '(?P<category>.*?)' "
0 Karma
1 Solution

Contributor

I resolved it using only props.conf:

[my_sourcetype]
...
...
EXTRACT-my_extractions = ccti_class = \'(?<class>[\w\s]+)\'.*ccti_category = \'(?<category>[\w\s]+)\'

View solution in original post

0 Karma

Contributor

I resolved it using only props.conf:

[my_sourcetype]
...
...
EXTRACT-my_extractions = ccti_class = \'(?<class>[\w\s]+)\'.*ccti_category = \'(?<category>[\w\s]+)\'

View solution in original post

0 Karma

Contributor

Hi,

Thanks for your comment!

I am trying, but could you suggest me the optimized regex to extract the two fields (class and category) to insert in the transforms.conf?
Here is the sample event:

ccti_class = 'Service Forniture' AND ccti_category = 'Computer science' AND ( ticket_type = 'Change Request' and ticket_impact_code = '2' ) AND ( ticket_type = 'Change Request' and ticket_urgency_code = '1' )

0 Karma

Contributor

Could it be correct this way?

transforms.conf
[class_category]
REGEX = <regex expression to extract two fields>
SOURCE_KEY = field:sys_where_clause


props.conf
[my_sourcetype]
REPORT-class_category = class_category
0 Karma

SplunkTrust
SplunkTrust

That will be correct if you want to use transforms.conf. For just props.conf, see this

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextract...

0 Karma