Splunk Search

Hi

I am getting below log and want to extract the data/values from the field using props.conf / transforms.conf.

Field_name:  [
  "value", "value", "value", "value"
]

In _raw format I'm getting the below logs from the same

"Field_name": "[\r\n  \"value\",\r\n  \"value\",\r\n  \"value\",\r\n  \"value\"]"

Any help will be much appreciated.

Thanks

I don't understand your examples, but there are at least 2 ways to extract new fields from existing fields in props/transforms. Let's say you have already extracted a field called "my_field".

Then using EXTRACT in props, you can tell splunk the field to run the regex against by adding " in myfield" after your regex.

props

[your_sourcetype]
EXTRACT-some_new_field = <your regex> in my_field

Or if you're using props/transforms, then specify the existing field as the source key in transforms

props

[your_sourcetype]
REPORT-some_new_field = extract_new_field

transforms

[extract_new_field]
SOURCE_KEY = my_field
REGEX = <your regex>

Hi I have tried the solution using props.conf and transforms.conf

Seems it is working properly when I search using extract reload=t. But without this command in search query it is not working.

Transforms.conf

[name]
SOURCE_KEY=
REGEX =\"(?[^\s]+)\"

props.conf

REPORT-classname=name

that doesn't make any sense. that extract command should force it to reload the config, which it will do on its own on some interval as well. that shouldn't make it work or not work on a consistent basis.

but i thought you said you were trying to extract a field from a field other than raw. But you leave SOURCE_KEY blank above? put the existing field in there instead of leaving it blank, so your regex runs against it instead of _raw.

Also, please use the code button when posting your config data. As you can see, answers is stripped out important characters from your comment.

with the code button:

\"(?<some_field>[^\s]+)\"

w/o code button:
\"(?[^\s]+)\"

Actually I provided the field but some how it is not updated here. let me explain you the scenario clearly.

_raw data

"Metadata": "{\r\n  \"GeneratedOnHost\": \"XXXXXX\"\r\n}"

As syntax highlight

Metadata:    {
  "GeneratedOnHost": "XXXXXX"
}

transforms.conf

[name]
SOURCE_KEY=Metadata
REGEX =\"GeneratedOnHost\"\:\s\"(?<extracted field name>[^\s]+)\"

props.conf

REPORT-name1=name

I used this configuration which can able to extract if I include extract reload=t in my search query every time I execute. But without that command it can't even populating the extracted field name.

any update on this? still not working?

I'm confused as to whether splunk is actually extracting the metadata field already or if you're just assuming because it's syntax-highlighted that it is? You could extract that field yourself first if Splunk isn't doing it for you.

also, are you in fast mode? if you're relying on splunk to extract the metadata field for you, then ensure you're allowing it do that by choosing smart or verbose mode.

Can you share whole event? Also what rex your using? You can use | rex field=<field_name> max_match=0 "reg_exp"

Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...