- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to configure regex in transforms.conf to extra...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am attempting to figure out a regex for a transforms.conf for a field named Call Reason
Example data looks like this
A - Call plan question
B - Data plan question
C - Cellular telephone function question
D - Weak call signal
My goal is to transform the Call Reason field to eliminate the first 4 characters (Alpha space - space) of each row so the it shows as
Call plan question
Data plan question
Cellular telephone function question
Weak call signal
Any help is deeply appreciated as I am very weak in REGEX.
Many thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do this either by using calculated field (in props.conf only) OR transforms.conf both.
Calculated field - props.conf
[yourSourcetype]
EVAL-field=substr(YourFieldName,5)
Transform
props.conf
[yourSourcetype]
REPORT-field = mytransform
transforms.conf
[mytransform]
SOURCE_KEY = YourFieldName
REGEX = ^(.{4})(?<YourFieldName>.+)
To see these regex/function working in search, see this run anywhere sample
| gentimes start=-1 | eval Reason="A - Call plan question." | table Reason| rex field=Reason "^.{4}(?<Field>.+)" | eval Field2=substr(Reason,5)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do this either by using calculated field (in props.conf only) OR transforms.conf both.
Calculated field - props.conf
[yourSourcetype]
EVAL-field=substr(YourFieldName,5)
Transform
props.conf
[yourSourcetype]
REPORT-field = mytransform
transforms.conf
[mytransform]
SOURCE_KEY = YourFieldName
REGEX = ^(.{4})(?<YourFieldName>.+)
To see these regex/function working in search, see this run anywhere sample
| gentimes start=-1 | eval Reason="A - Call plan question." | table Reason| rex field=Reason "^.{4}(?<Field>.+)" | eval Field2=substr(Reason,5)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, thanks for the reply, I got called away and will look into this tomorrow morning. Thanks again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, I ran the anywhere sample and it worked, however, when I put it in the transforms.conf and restarted I got the following:
Checking conf files for problems...
Bad regex value: '^(.{4})(?<Call Reason>.+)', of param: transforms.conf / [trans-callreason] / REGEX; why: syntax error in subpattern name (missing terminator)
in my props.conf:
REPORT-field = trans-callreason
transforms.conf
[trans-callreason]
SOURCE_KEY = "Call Reason"
REGEX = ^(.{4})(?.+)
I'll start looking into this error but please cut in if it's an obvious error on my part.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Call Reason is not showing in this forum when I typed it into the REGEX statement...
But that is what I have between the (?< and the >.+)
Sorry for being confusing...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The extracted field names can't have spaces. So replace space with underscore in REGEX and try again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You are absolutely correct - no spaces. Thanks!
Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!
Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration
Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users
