Splunk Search

How to make a rex field extraction permanent for a field extraction from source?

mlb19
Explorer

Hi Splunkers,

I need to extract the name of the computer generating the log from the file name. I found a way to do so with rex:

index=* | rex field=source ".(?<Chassis>C\d+)"

That works as it should, but the field is only present for the search creating the field.
So I thought I need to extract the field in my props.conf in order to make them permanent.

What I tried and what I found here on Splunk Answers did not work. I guess it has something to do with extracting a field from the source field.

Here is what I tried:

1)

[RT-VPM]
EXTRACT-Chassis = C\d+ in source

2)

[RT-VPM]
EXTRACT-Chassis = .(?<Chassis>C\d+) in source

I also tried quite a few variations on 1 and 2, but I did not document all of them.

I hope somebody is able to help me

Cheers

0 Karma
1 Solution

dturnbull_splun
Splunk Employee
Splunk Employee

You need to use a transform where you have a different source field:

# props.conf
[RT-VPM]
REPORT-chassis = chassis

# transforms.conf
[chassis]
SOURCE_KEY=source
REGEX = .(?<Chassis>C\d+)

View solution in original post

Muwafi
Path Finder

could this work on lookup output fields also ?? and what will be the solution if not?

0 Karma

dturnbull_splun
Splunk Employee
Splunk Employee

You need to use a transform where you have a different source field:

# props.conf
[RT-VPM]
REPORT-chassis = chassis

# transforms.conf
[chassis]
SOURCE_KEY=source
REGEX = .(?<Chassis>C\d+)

mlb19
Explorer

thank you that worked!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...