Splunk Search

How to configure regex in transforms.conf to extract values for a field?

TheJagoff
Communicator

Hello,

I am attempting to figure out a regex for a transforms.conf for a field named Call Reason

Example data looks like this

A - Call plan question
B - Data plan question
C - Cellular telephone function question
D - Weak call signal

My goal is to transform the Call Reason field to eliminate the first 4 characters (Alpha space - space) of each row so the it shows as

Call plan question
Data plan question
Cellular telephone function question
Weak call signal

Any help is deeply appreciated as I am very weak in REGEX.

Many thanks

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You can do this either by using calculated field (in props.conf only) OR transforms.conf both.

Calculated field - props.conf

[yourSourcetype]
EVAL-field=substr(YourFieldName,5)

Transform
props.conf

[yourSourcetype]
REPORT-field = mytransform

transforms.conf

[mytransform]
SOURCE_KEY = YourFieldName
REGEX = ^(.{4})(?<YourFieldName>.+)

To see these regex/function working in search, see this run anywhere sample

| gentimes start=-1 | eval Reason="A - Call plan question." | table Reason| rex field=Reason "^.{4}(?<Field>.+)" | eval Field2=substr(Reason,5)

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

You can do this either by using calculated field (in props.conf only) OR transforms.conf both.

Calculated field - props.conf

[yourSourcetype]
EVAL-field=substr(YourFieldName,5)

Transform
props.conf

[yourSourcetype]
REPORT-field = mytransform

transforms.conf

[mytransform]
SOURCE_KEY = YourFieldName
REGEX = ^(.{4})(?<YourFieldName>.+)

To see these regex/function working in search, see this run anywhere sample

| gentimes start=-1 | eval Reason="A - Call plan question." | table Reason| rex field=Reason "^.{4}(?<Field>.+)" | eval Field2=substr(Reason,5)

TheJagoff
Communicator

Hey, thanks for the reply, I got called away and will look into this tomorrow morning. Thanks again.

0 Karma

TheJagoff
Communicator

Hey, I ran the anywhere sample and it worked, however, when I put it in the transforms.conf and restarted I got the following:

Checking conf files for problems...
Bad regex value: '^(.{4})(?<Call Reason>.+)', of param: transforms.conf / [trans-callreason] / REGEX; why: syntax error in subpattern name (missing terminator)

in my props.conf:

REPORT-field = trans-callreason

transforms.conf

[trans-callreason]
SOURCE_KEY = "Call Reason"
REGEX = ^(.{4})(?.+)

I'll start looking into this error but please cut in if it's an obvious error on my part.

Thanks.

0 Karma

TheJagoff
Communicator

Call Reason is not showing in this forum when I typed it into the REGEX statement...

But that is what I have between the (?< and the >.+)

Sorry for being confusing...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The extracted field names can't have spaces. So replace space with underscore in REGEX and try again.

0 Karma

TheJagoff
Communicator

Hi,
You are absolutely correct - no spaces. Thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...