Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to extract fields using regex in transform...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everybody
I am new to the regex topic.
I have events with folowing information:
SPIEE-WIRELESS-MIB::**bsnStationMacAddress**.0 = STRING: **a9:12:fa:13:19:8F**
CISCO-LWAPP-UMBH-CALLT-MIB::**cldcClientSSID**.0 = STRING: **Campus-WLAN**
As we can see, we can present these two (and further logs) in following format:
blabla-MIB::**FIELDNAME**.0 = Blabla: **FIELDVALUE**
I have to apply this extraction in transforms.conf
My idea is:
[mytransform]
REGEX= (?:.*\-MIB::)(.+)(?:\.0\s\=\s[a-zA-Z0-9]+:\s)(.+)
FORMAT= $1::$2
Both (.+) are the field names and field values. I have extracted them as groups but how do I define them as a Splunk fieldname and field value?
Thank you in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I modified your regex a little to make it take less steps to find a match (you can see results here). Give this combination a try:
props.conf:
[your_sourcetype]
REPORT-extraction_name = transform_stanza_name
transforms.conf:
[transform_stanza_name]
REGEX = MIB\:\:(.+)\.\d\s\=\sSTRING\:\s(.+)
FORMAT = $1::$2
MV_ADD = true ## Use this if you have multiple values for same field name
Deploy these configurations to your search head(s) and search for data in smart mode or verbose mode. HTH!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I modified your regex a little to make it take less steps to find a match (you can see results here). Give this combination a try:
props.conf:
[your_sourcetype]
REPORT-extraction_name = transform_stanza_name
transforms.conf:
[transform_stanza_name]
REGEX = MIB\:\:(.+)\.\d\s\=\sSTRING\:\s(.+)
FORMAT = $1::$2
MV_ADD = true ## Use this if you have multiple values for same field name
Deploy these configurations to your search head(s) and search for data in smart mode or verbose mode. HTH!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
