Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to copy/paste a regex into splunk

mikefoti
Communicator
‎04-02-2012 01:38 PM

My ultimate goal is to create a regex expression that can be used use to extract fields from any record made up comma-seperated fields. For example, if a normal event looks like this:

"RADSP01HDQRW","IAS",04/02/2012,16:14:38,2,,"RETAIL\HH01-9002",,,,,,,,0,"10.170.191.48"

it will always contain 15 commas, therefore 16 fields.

I created the regex expression below and tested it with UltraEditPro.

[^,](?=(,[^,]){15,15}$)

It will find the 1st field. In order to make it find the 2nd field I simply replace (15,15) with (14,14).

Everything looked great in UltraEdit but when I pasted it into the Field Extraction UI
it complained...

Invalid regex: no named extraction at position 7 (i.e., "=(,[^,]*){..."). Expected "(?Ppattern)"

I tried various combinations before thinking surely someone else has already tackled this problem... so here's hoping!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎04-02-2012 01:57 PM

Since you have a delimiter that is separating your fields then I would take a look at the following:

$SPLUNK_HOME/etc/system/local/props.conf

[data]
REPORT-fieldextract = fieldextract

$SPLUNK_HOME/etc/system/local/transforms.conf 

[fieldextract]
DELIMS = ","
FIELDS = field1,field2,field3,...field16

Remember that this field extraction happens at index time so this will only work for the latest data.

Here is a link to more information:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Admin/Transformsconf

View solution in original post

Reply
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎04-02-2012 01:57 PM

Since you have a delimiter that is separating your fields then I would take a look at the following:

$SPLUNK_HOME/etc/system/local/props.conf

[data]
REPORT-fieldextract = fieldextract

$SPLUNK_HOME/etc/system/local/transforms.conf 

[fieldextract]
DELIMS = ","
FIELDS = field1,field2,field3,...field16

Remember that this field extraction happens at index time so this will only work for the latest data.

Here is a link to more information:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Admin/Transformsconf

Reply
Solved! Jump to solution

MarioM
Motivator
‎04-05-2012 10:32 PM

Fields extractions are on the search head then if your indexer is the search head too then you should put it there.
Your sencond extraction via delims looks right.

0 Karma
Reply
Solved! Jump to solution

mikefoti
Communicator
‎04-05-2012 11:32 AM

Thanks for the reply. I read the props and transforms documentation and am unclear if the edits need to be in these files on the indexer or the UF.

Also, if I want to extract the csv fields only for sourcetype=foo, does this look right?

Props.conf [sourcetype::foo]
report_radius=extract_radius_CSV

Transforms.conf: [extract_radius_CSV]
DELIMS=”,”
FIELDS=”nps_svrName”,”nps_svcName”,”nps_Date”,”nps_Time”,”nps_packetType,”nps_userName”,”nps_userFQDN”,”nps_calledStation”,”nps_callingStation”

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...