Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to convert a regex to work in transforms.conf?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to convert a regex to work in transforms.conf?
hawkik1
Loves-to-Learn Everything
04-14-2023
09:14 AM
I am attempting (for the first tiume) to convert the following regex search to work in transforms.conf, but can't seem to get it to work. What am I missing?
My search which works:
index="fileshares" sourcetype="fileshares" source="/mnt/auditlog/*"
| rex "\"SubjectUserName\">(?<Username>[^\<]+)"
My attempt with transforms.conf:
[Username]
SOURCE_KEY = Username
REGEX = \"SubjectUserName\">(?<Username>[^\<]+)
MV_ADD = true
Props.conf:
[fileshares]
REPORT-fields = Username
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-14-2023
12:00 PM
[Username]
REGEX = \"SubjectUserName\">(?<Username>[^\<]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
04-14-2023
09:46 AM
Regular expressions can't be evaluated without sample data.
Setting MV_ADD=true is necessary only when the rex command uses the max_match option with a value greater than zero.
Quotation marks do not need to be escaped in transforms.conf because the regex is not itself quoted.
That said, what are you trying to accomplish with transforms that rex cannot? If you just want to extract the Username field then use EXTRACT rather than REPORT in props and dispense with the transform.
EXTRACT-fields = "SubjectUserName">(?<Username>[^\<]+)Keep in mind that REPORT transforms are processed at search time rather than index time.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hawkik1
Loves-to-Learn Everything
04-14-2023
10:44 AM
I'm new at working with transforms.conf and props.conf. To better explain my issue. I've got an XML file that I'm trying to generate fields for.
I'm using this search portion which works:
index="fileshares" sourcetype="fileshares" source="/mnt/auditlog/*"
| rex "SystemTime=\"(?<SystemTime>[^\"]+)"
| rex "\"SubjectDomainName\">(?<Domain>[^\<]+)"
| rex "\"SubjectUserName\">(?<Username>[^\<]+)"
| rex "\"ObjectType\">(?<ObjectType>[^\<]+)"
I'd like to have these fields created so that the rex statements are not necessary. If using EXTRACT-fields is the best method for this, what should the configuration look like for these fields?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
04-14-2023
11:51 AM
If you want to extract all of the XML fields then use KV_MODE = xml in props.conf. To extract selected fields then (IMO) EXTRACT is the way. Use your existing regular expressions, modified as I described in my previous answer.
EXTRACT-SystemTime = SystemTime="(?<SystemTime>[^"]+)
EXTRACT-SubjectDomainName = SubjectDomainName">(?<Domain>[^\<]+)
EXTRACT-SubjectUserName = SubjectUserName">(?<Username>[^\<]+)
EXTRACT-ObjectType = ObjectType">(?<ObjectType>[^\<]+)
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hawkik1
Loves-to-Learn Everything
04-14-2023
10:47 AM
XML:
"" <Data Name="SubjectDomainName">US</Data><Data Name="SubjectUserName">fmtdc</Data><Data Name="ObjectServer">Security</Data><Data Name="ObjectType">File</Data> ""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hawkik1
Loves-to-Learn Everything
04-14-2023
02:09 PM
I'm still doing something incorrect. I'm editing /opt/splunk/etc/apps/Splunk_TA_nix/local/props.conf on my standalone enterprise server.
I added this at the bottom of the file. Sourcetype of the search is fileshares:
[fileshares]
EXTRACT-SystemTime = SystemTime="(?<SystemTime>[^"]+)
EXTRACT-SubjectDomainName = SubjectDomainName">(?<Domain>[^\<]+)
EXTRACT-SubjectUserName = SubjectUserName">(?<Username>[^\<]+)
EXTRACT-ObjectType = ObjectType">(?<ObjectType>[^\<]+)
I also tried this:
[fileshares]
KV_MODE=xml
Restarted splunk and neither of the above worked. Using |xmlkv works fine btw, but grabs way too many fields, slowing the search. Thanks ahead of time from the newbe.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
