Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to convert a regex to work in transforms.conf?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to convert a regex to work in transforms.conf?
hawkik1
Loves-to-Learn Everything
04-14-2023
09:14 AM
I am attempting (for the first tiume) to convert the following regex search to work in transforms.conf, but can't seem to get it to work. What am I missing?
My search which works:
index="fileshares" sourcetype="fileshares" source="/mnt/auditlog/*"
| rex "\"SubjectUserName\">(?<Username>[^\<]+)"
My attempt with transforms.conf:
[Username]
SOURCE_KEY = Username
REGEX = \"SubjectUserName\">(?<Username>[^\<]+)
MV_ADD = true
Props.conf:
[fileshares]
REPORT-fields = Username
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-14-2023
12:00 PM
[Username]
REGEX = \"SubjectUserName\">(?<Username>[^\<]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
04-14-2023
09:46 AM
Regular expressions can't be evaluated without sample data.
Setting MV_ADD=true is necessary only when the rex command uses the max_match option with a value greater than zero.
Quotation marks do not need to be escaped in transforms.conf because the regex is not itself quoted.
That said, what are you trying to accomplish with transforms that rex cannot? If you just want to extract the Username field then use EXTRACT rather than REPORT in props and dispense with the transform.
EXTRACT-fields = "SubjectUserName">(?<Username>[^\<]+)Keep in mind that REPORT transforms are processed at search time rather than index time.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hawkik1
Loves-to-Learn Everything
04-14-2023
10:44 AM
I'm new at working with transforms.conf and props.conf. To better explain my issue. I've got an XML file that I'm trying to generate fields for.
I'm using this search portion which works:
index="fileshares" sourcetype="fileshares" source="/mnt/auditlog/*"
| rex "SystemTime=\"(?<SystemTime>[^\"]+)"
| rex "\"SubjectDomainName\">(?<Domain>[^\<]+)"
| rex "\"SubjectUserName\">(?<Username>[^\<]+)"
| rex "\"ObjectType\">(?<ObjectType>[^\<]+)"
I'd like to have these fields created so that the rex statements are not necessary. If using EXTRACT-fields is the best method for this, what should the configuration look like for these fields?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
04-14-2023
11:51 AM
If you want to extract all of the XML fields then use KV_MODE = xml in props.conf. To extract selected fields then (IMO) EXTRACT is the way. Use your existing regular expressions, modified as I described in my previous answer.
EXTRACT-SystemTime = SystemTime="(?<SystemTime>[^"]+)
EXTRACT-SubjectDomainName = SubjectDomainName">(?<Domain>[^\<]+)
EXTRACT-SubjectUserName = SubjectUserName">(?<Username>[^\<]+)
EXTRACT-ObjectType = ObjectType">(?<ObjectType>[^\<]+)
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hawkik1
Loves-to-Learn Everything
04-14-2023
10:47 AM
XML:
"" <Data Name="SubjectDomainName">US</Data><Data Name="SubjectUserName">fmtdc</Data><Data Name="ObjectServer">Security</Data><Data Name="ObjectType">File</Data> ""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hawkik1
Loves-to-Learn Everything
04-14-2023
02:09 PM
I'm still doing something incorrect. I'm editing /opt/splunk/etc/apps/Splunk_TA_nix/local/props.conf on my standalone enterprise server.
I added this at the bottom of the file. Sourcetype of the search is fileshares:
[fileshares]
EXTRACT-SystemTime = SystemTime="(?<SystemTime>[^"]+)
EXTRACT-SubjectDomainName = SubjectDomainName">(?<Domain>[^\<]+)
EXTRACT-SubjectUserName = SubjectUserName">(?<Username>[^\<]+)
EXTRACT-ObjectType = ObjectType">(?<ObjectType>[^\<]+)
I also tried this:
[fileshares]
KV_MODE=xml
Restarted splunk and neither of the above worked. Using |xmlkv works fine btw, but grabs way too many fields, slowing the search. Thanks ahead of time from the newbe.
Get Updates on the Splunk Community!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
