Is there a way to tell if a regex has been applied to an event? I'm doing field extractions and want a way to confirm the field extractions applied to all the correct events. I suppose I could do this validation outside of Splunk using grep | linecount and cross checking with the event count in Splunk. It would be cool though if I could use Splunk though.
The extract command should do the trick. Reference: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Extract
Would someone provide an accurate answer to this question?
It is not possible.
grep
would be a bad choice as its regular expressions are quite different from PCRE, which is what Splunk uses.
The extract command should do the trick. Reference: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Extract
I do not understand this answer at all. The extract
command has nothing to do with this.
Hi woodcock,
that is not correct, you can call specific transform stanzas using the extract
command:
<extractor-name>
Syntax: <string>
Description: A stanza in the transforms.conf file. This is used when the props.conf file does not explicitly cause an extraction for this source, sourcetype, or host.
So by using extract
this part of the question:
I'm doing field extractions and want a way to confirm the field extractions applied to all the correct events.
was answered correctly.
But beside this, there is not really another way to get something like this Is there a way to tell if a regex has been applied to an event?
Hope that makes sense ...
cheers, MuS
I still do not see what you are saying. All extract
does is execute a specific transform
which in no way allows for any backtracking, which is what this question is about.
yep, exactly what I said 😉
You can use extract to test, validate if the transforms stanza works with search results.
But out of the box you will get no information, backtracking what transforms was executed against the events.
The question in my eyes is misleading because it asks two different things in one post:
for 2. the answer is extract.
One can argue that it actually did not answer the first question and for arguments sake you might get something from running Splunk in debug mode or increasing the TransformsExtractionHandler
log channel. But I never really tried, nor checked that.
cheers, MuS
And only the OP might care. 100% of everyone else who ends up here from a search engine is looking for the answer that is NOT here.
You're right about this