Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract fields at search time through props.conf file?

riqbal
Communicator
‎08-13-2018 03:55 AM

I have w3c format logs. I want to create the fiels through props.conf.
I want to use EXTRACT- xxx= for search time field extraction.
below is my sample event.

2014-01-02 22:12:37 5209 1x3.xxx2.xx.xxx 200 TCP_MISS 209383 546 GET http daxxx.clxxxnt.net 80 /photos/show_resized/137406/12/4/41.jpg - - - - daxxx.clxxxnt.net image/jpeg;%20charset=utf-8 http://daxxx.clxxxnt.net?&utm_source=email&utm_medium=sf&utm_term=Second%20Email%20SF%201/2&utm_cont... "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" OBSERVED "Content Servers" - 1x3.xx2.xx.xxx 5x.xxx.1xxx.2xxx 52
006

#Fields: date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username cs-auth-group s-hierarchy s-supplier-name rs(Content-Type) cs(Referer) cs(User-Agent) sc-filter-result cs-categories x-virus-id s-ip r-supplier-ip c-port
Reply

sudosplunk
Motivator
‎08-13-2018 12:03 PM

Hi there,

Since you want to extract fields based on the order the values appear, I would recommend using REPORT instead of EXTRACT. Give this a try,

props.conf:

[sourcetype]
REPORT-w3c_extractions = name_for_extractions

transforms.conf:

[name_for_extractions]
REGEX = (?<date>\d{4}\-\d{1,2}\-\d{1,2})\s(?<time>\d{1,2}\:\d{1,2}\:\d{1,2})\s(?<time_taken>\d+)\s(?<c_ip>[\d|\.]{7,15})\s(?<sc_status>\d{1,3})\s(?<s_action>[\w|\_]*)\s(?<sc_bytes>\d+)\s(?<cs_bytes>\d+)\s(?<cs_method>\w*)\s(?<cs_uri_scheme>[\-|\w]*)\s(?<cs_host>\S*)\s(?<cs_uri_port>\d{1,6})\s(?<cs_uri_path>\S*)\s(?<cs_uri_query>\S*)\s(?<cs_username>\S*)\s(?<cs_auth_group>[^\s]*)\s(?<s_hierarchy>\S*)\s(?<s_supplier_name>\S*)\s(?<rs_content_type>\S*)\s(?<cs_referrer>\S*)\s\"(?<cs_user_agent>.*?)\"\s(?<sc_filter_result>\w*?)\s(?<cs_categories>.*?)\"\s(?<x_virus_id>\S*)\s(?<s_ip>[\d|\.]{7,15})\s(?<r_supplier_ip>[\d|\.]{7,15})\s(?<c_port>\d{1,6})

Regex tested here.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...