Splunk Search

How to make a rex field extraction permanent for a field extraction from source?

mlb19
Explorer

Hi Splunkers,

I need to extract the name of the computer generating the log from the file name. I found a way to do so with rex:

index=* | rex field=source ".(?<Chassis>C\d+)"

That works as it should, but the field is only present for the search creating the field.
So I thought I need to extract the field in my props.conf in order to make them permanent.

What I tried and what I found here on Splunk Answers did not work. I guess it has something to do with extracting a field from the source field.

Here is what I tried:

1)

[RT-VPM]
EXTRACT-Chassis = C\d+ in source

2)

[RT-VPM]
EXTRACT-Chassis = .(?<Chassis>C\d+) in source

I also tried quite a few variations on 1 and 2, but I did not document all of them.

I hope somebody is able to help me

Cheers

0 Karma
1 Solution

dturnbull_splun
Splunk Employee
Splunk Employee

You need to use a transform where you have a different source field:

# props.conf
[RT-VPM]
REPORT-chassis = chassis

# transforms.conf
[chassis]
SOURCE_KEY=source
REGEX = .(?<Chassis>C\d+)

View solution in original post

Muwafi
Path Finder

could this work on lookup output fields also ?? and what will be the solution if not?

0 Karma

dturnbull_splun
Splunk Employee
Splunk Employee

You need to use a transform where you have a different source field:

# props.conf
[RT-VPM]
REPORT-chassis = chassis

# transforms.conf
[chassis]
SOURCE_KEY=source
REGEX = .(?<Chassis>C\d+)

mlb19
Explorer

thank you that worked!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...