Splunk Search

How to configure regex in transforms.conf to extract values for a field?

TheJagoff
Communicator

Hello,

I am attempting to figure out a regex for a transforms.conf for a field named Call Reason

Example data looks like this

A - Call plan question
B - Data plan question
C - Cellular telephone function question
D - Weak call signal

My goal is to transform the Call Reason field to eliminate the first 4 characters (Alpha space - space) of each row so the it shows as

Call plan question
Data plan question
Cellular telephone function question
Weak call signal

Any help is deeply appreciated as I am very weak in REGEX.

Many thanks

0 Karma
1 Solution

somesoni2
Revered Legend

You can do this either by using calculated field (in props.conf only) OR transforms.conf both.

Calculated field - props.conf

[yourSourcetype]
EVAL-field=substr(YourFieldName,5)

Transform
props.conf

[yourSourcetype]
REPORT-field = mytransform

transforms.conf

[mytransform]
SOURCE_KEY = YourFieldName
REGEX = ^(.{4})(?<YourFieldName>.+)

To see these regex/function working in search, see this run anywhere sample

| gentimes start=-1 | eval Reason="A - Call plan question." | table Reason| rex field=Reason "^.{4}(?<Field>.+)" | eval Field2=substr(Reason,5)

View solution in original post

somesoni2
Revered Legend

You can do this either by using calculated field (in props.conf only) OR transforms.conf both.

Calculated field - props.conf

[yourSourcetype]
EVAL-field=substr(YourFieldName,5)

Transform
props.conf

[yourSourcetype]
REPORT-field = mytransform

transforms.conf

[mytransform]
SOURCE_KEY = YourFieldName
REGEX = ^(.{4})(?<YourFieldName>.+)

To see these regex/function working in search, see this run anywhere sample

| gentimes start=-1 | eval Reason="A - Call plan question." | table Reason| rex field=Reason "^.{4}(?<Field>.+)" | eval Field2=substr(Reason,5)

TheJagoff
Communicator

Hey, thanks for the reply, I got called away and will look into this tomorrow morning. Thanks again.

0 Karma

TheJagoff
Communicator

Hey, I ran the anywhere sample and it worked, however, when I put it in the transforms.conf and restarted I got the following:

Checking conf files for problems...
Bad regex value: '^(.{4})(?<Call Reason>.+)', of param: transforms.conf / [trans-callreason] / REGEX; why: syntax error in subpattern name (missing terminator)

in my props.conf:

REPORT-field = trans-callreason

transforms.conf

[trans-callreason]
SOURCE_KEY = "Call Reason"
REGEX = ^(.{4})(?.+)

I'll start looking into this error but please cut in if it's an obvious error on my part.

Thanks.

0 Karma

TheJagoff
Communicator

Call Reason is not showing in this forum when I typed it into the REGEX statement...

But that is what I have between the (?< and the >.+)

Sorry for being confusing...

0 Karma

somesoni2
Revered Legend

The extracted field names can't have spaces. So replace space with underscore in REGEX and try again.

0 Karma

TheJagoff
Communicator

Hi,
You are absolutely correct - no spaces. Thanks!

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...