Splunk Search

How to configure regex in transforms.conf to extract values for a field?

TheJagoff
Communicator

Hello,

I am attempting to figure out a regex for a transforms.conf for a field named Call Reason

Example data looks like this

A - Call plan question
B - Data plan question
C - Cellular telephone function question
D - Weak call signal

My goal is to transform the Call Reason field to eliminate the first 4 characters (Alpha space - space) of each row so the it shows as

Call plan question
Data plan question
Cellular telephone function question
Weak call signal

Any help is deeply appreciated as I am very weak in REGEX.

Many thanks

0 Karma
1 Solution

somesoni2
Revered Legend

You can do this either by using calculated field (in props.conf only) OR transforms.conf both.

Calculated field - props.conf

[yourSourcetype]
EVAL-field=substr(YourFieldName,5)

Transform
props.conf

[yourSourcetype]
REPORT-field = mytransform

transforms.conf

[mytransform]
SOURCE_KEY = YourFieldName
REGEX = ^(.{4})(?<YourFieldName>.+)

To see these regex/function working in search, see this run anywhere sample

| gentimes start=-1 | eval Reason="A - Call plan question." | table Reason| rex field=Reason "^.{4}(?<Field>.+)" | eval Field2=substr(Reason,5)

View solution in original post

somesoni2
Revered Legend

You can do this either by using calculated field (in props.conf only) OR transforms.conf both.

Calculated field - props.conf

[yourSourcetype]
EVAL-field=substr(YourFieldName,5)

Transform
props.conf

[yourSourcetype]
REPORT-field = mytransform

transforms.conf

[mytransform]
SOURCE_KEY = YourFieldName
REGEX = ^(.{4})(?<YourFieldName>.+)

To see these regex/function working in search, see this run anywhere sample

| gentimes start=-1 | eval Reason="A - Call plan question." | table Reason| rex field=Reason "^.{4}(?<Field>.+)" | eval Field2=substr(Reason,5)

TheJagoff
Communicator

Hey, thanks for the reply, I got called away and will look into this tomorrow morning. Thanks again.

0 Karma

TheJagoff
Communicator

Hey, I ran the anywhere sample and it worked, however, when I put it in the transforms.conf and restarted I got the following:

Checking conf files for problems...
Bad regex value: '^(.{4})(?<Call Reason>.+)', of param: transforms.conf / [trans-callreason] / REGEX; why: syntax error in subpattern name (missing terminator)

in my props.conf:

REPORT-field = trans-callreason

transforms.conf

[trans-callreason]
SOURCE_KEY = "Call Reason"
REGEX = ^(.{4})(?.+)

I'll start looking into this error but please cut in if it's an obvious error on my part.

Thanks.

0 Karma

TheJagoff
Communicator

Call Reason is not showing in this forum when I typed it into the REGEX statement...

But that is what I have between the (?< and the >.+)

Sorry for being confusing...

0 Karma

somesoni2
Revered Legend

The extracted field names can't have spaces. So replace space with underscore in REGEX and try again.

0 Karma

TheJagoff
Communicator

Hi,
You are absolutely correct - no spaces. Thanks!

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...