Splunk Search

How to extract fields at search time through props.conf file?

Communicator

I have w3c format logs. I want to create the fiels through props.conf.
I want to use EXTRACT- xxx= for search time field extraction.
below is my sample event.

2014-01-02 22:12:37 5209 1x3.xxx2.xx.xxx 200 TCP_MISS 209383 546 GET http daxxx.clxxxnt.net 80 /photos/show_resized/137406/12/4/41.jpg - - - - daxxx.clxxxnt.net image/jpeg;%20charset=utf-8 http://daxxx.clxxxnt.net?&utm_source=email&utm_medium=sf&utm_term=Second%20Email%20SF%201/2&utm_cont... "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" OBSERVED "Content Servers" - 1x3.xx2.xx.xxx 5x.xxx.1xxx.2xxx 52
006

#Fields: date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username cs-auth-group s-hierarchy s-supplier-name rs(Content-Type) cs(Referer) cs(User-Agent) sc-filter-result cs-categories x-virus-id s-ip r-supplier-ip c-port

Motivator

Hi there,

Since you want to extract fields based on the order the values appear, I would recommend using REPORT instead of EXTRACT. Give this a try,

props.conf:

[sourcetype]
REPORT-w3c_extractions = name_for_extractions

transforms.conf:

[name_for_extractions]
REGEX = (?<date>\d{4}\-\d{1,2}\-\d{1,2})\s(?<time>\d{1,2}\:\d{1,2}\:\d{1,2})\s(?<time_taken>\d+)\s(?<c_ip>[\d|\.]{7,15})\s(?<sc_status>\d{1,3})\s(?<s_action>[\w|\_]*)\s(?<sc_bytes>\d+)\s(?<cs_bytes>\d+)\s(?<cs_method>\w*)\s(?<cs_uri_scheme>[\-|\w]*)\s(?<cs_host>\S*)\s(?<cs_uri_port>\d{1,6})\s(?<cs_uri_path>\S*)\s(?<cs_uri_query>\S*)\s(?<cs_username>\S*)\s(?<cs_auth_group>[^\s]*)\s(?<s_hierarchy>\S*)\s(?<s_supplier_name>\S*)\s(?<rs_content_type>\S*)\s(?<cs_referrer>\S*)\s\"(?<cs_user_agent>.*?)\"\s(?<sc_filter_result>\w*?)\s(?<cs_categories>.*?)\"\s(?<x_virus_id>\S*)\s(?<s_ip>[\d|\.]{7,15})\s(?<r_supplier_ip>[\d|\.]{7,15})\s(?<c_port>\d{1,6})

Regex tested here.