Splunk Search

How to configure regex in transforms.conf to extract values for a field?

TheJagoff
Communicator

Hello,

I am attempting to figure out a regex for a transforms.conf for a field named Call Reason

Example data looks like this

A - Call plan question
B - Data plan question
C - Cellular telephone function question
D - Weak call signal

My goal is to transform the Call Reason field to eliminate the first 4 characters (Alpha space - space) of each row so the it shows as

Call plan question
Data plan question
Cellular telephone function question
Weak call signal

Any help is deeply appreciated as I am very weak in REGEX.

Many thanks

0 Karma
1 Solution

somesoni2
Revered Legend

You can do this either by using calculated field (in props.conf only) OR transforms.conf both.

Calculated field - props.conf

[yourSourcetype]
EVAL-field=substr(YourFieldName,5)

Transform
props.conf

[yourSourcetype]
REPORT-field = mytransform

transforms.conf

[mytransform]
SOURCE_KEY = YourFieldName
REGEX = ^(.{4})(?<YourFieldName>.+)

To see these regex/function working in search, see this run anywhere sample

| gentimes start=-1 | eval Reason="A - Call plan question." | table Reason| rex field=Reason "^.{4}(?<Field>.+)" | eval Field2=substr(Reason,5)

View solution in original post

somesoni2
Revered Legend

You can do this either by using calculated field (in props.conf only) OR transforms.conf both.

Calculated field - props.conf

[yourSourcetype]
EVAL-field=substr(YourFieldName,5)

Transform
props.conf

[yourSourcetype]
REPORT-field = mytransform

transforms.conf

[mytransform]
SOURCE_KEY = YourFieldName
REGEX = ^(.{4})(?<YourFieldName>.+)

To see these regex/function working in search, see this run anywhere sample

| gentimes start=-1 | eval Reason="A - Call plan question." | table Reason| rex field=Reason "^.{4}(?<Field>.+)" | eval Field2=substr(Reason,5)

TheJagoff
Communicator

Hey, thanks for the reply, I got called away and will look into this tomorrow morning. Thanks again.

0 Karma

TheJagoff
Communicator

Hey, I ran the anywhere sample and it worked, however, when I put it in the transforms.conf and restarted I got the following:

Checking conf files for problems...
Bad regex value: '^(.{4})(?<Call Reason>.+)', of param: transforms.conf / [trans-callreason] / REGEX; why: syntax error in subpattern name (missing terminator)

in my props.conf:

REPORT-field = trans-callreason

transforms.conf

[trans-callreason]
SOURCE_KEY = "Call Reason"
REGEX = ^(.{4})(?.+)

I'll start looking into this error but please cut in if it's an obvious error on my part.

Thanks.

0 Karma

TheJagoff
Communicator

Call Reason is not showing in this forum when I typed it into the REGEX statement...

But that is what I have between the (?< and the >.+)

Sorry for being confusing...

0 Karma

somesoni2
Revered Legend

The extracted field names can't have spaces. So replace space with underscore in REGEX and try again.

0 Karma

TheJagoff
Communicator

Hi,
You are absolutely correct - no spaces. Thanks!

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...