Splunk Search
Highlighted

Index time field extraction: regexp issue

Explorer

Hello,

Since I often search a specific expression in a large set of events, I would like to index it.

Every single instance that I am running has the following format:
instance-name.generic-name.subdomaine.domain.com

In this expression, only domain.com is static and will never change.
I would like to extract generic-name for all of my events.

props.conf

[generic-name]
TRANSFORMS-generic-name = generic-name

transforms.conf

[generic-name]

REGEX = (?<instancename>[^\.]+)\.(?<gname>[^\.]+)\.(?<subdomain>[^\.]+)\.(?<domain>[^\.]+)\.

fields.conf

[gname]
INDEXED = True

I am wondering if the fact that I am not receiving anything in the Splunk dashboard is coming from my configuration file or my regular expression ?
Thank you in advance for your help

Update: I have tried all the following regexp and there is still no result. I don't receive any data in my sourcetype.

0 Karma
Highlighted

Re: Index time field extraction: regexp issue

SplunkTrust
SplunkTrust

Are you sure you need indexed extractions here?

What happens when you run this search:

index=foo sourcetype=generic-name gname=some-gname

Is the scanCount in the job inspector higher than the resultCount?

0 Karma
Highlighted

Re: Index time field extraction: regexp issue

Explorer

Thank you for your answer. Yes I am pretty sure that I need indexed extractions here since I am running the equivalence of gname=foo on every single search I do. Anyway, I will compare the performance before and after my change.

When I run this:
index=foo sourcetype=generic-name gname=some-gname
I got: No Results Found. Even with sourcetype=generic-name only and gname=some-gname only.

scanCount=0 resultCount=0.

I am wondering if the host is part of the data. Is the host part of the data that I can extract ? Or maybe it is just my regexp.

0 Karma
Highlighted

Re: Index time field extraction: regexp issue

Esteemed Legend

It is your REGEX; try this one:
(?<instancename>[^/.]+)/.(?<gname>[^/.]+)/.(?<subdomain>[^/.]+)/.(?<domain>[^/.]+)

0 Karma
Highlighted

Re: Index time field extraction: regexp issue

Explorer

Thank you for your answer.
Your regexp looks good and easy to understand but maybe slower due to multiple extraction.
Anyway, I still receive no data when I am trying to use yours. Am I missing something else somewhere ?

0 Karma
Highlighted

Re: Index time field extraction: regexp issue

Splunk Employee
Splunk Employee

See my answer. You were missing an actual extraction. Your capturing group surrounded only the field name... so nothing was being captured. You're also representing only one iteration of "anything that is not a dot" because you were missing the + which says "Everything that is not a dot, until you hit the dot". Whether you grab all the fields, or put literals in the domain and sub domain it doesn't matter as long as you are actually capturing something. As for "Slower" as long as you are moving forward (and not doing lookbacks) speed isn't an issue.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: Index time field extraction: regexp issue

Esteemed Legend

You need to swap the frontslashes for backslashes (stinking broken markdown). It does work; I tested it. It is important to include the other portions (but you don't necessarily have to capture them into fields) because otherwise your single capture will be capturing things you do not intend.

0 Karma
Highlighted

Re: Index time field extraction: regexp issue

Explorer

Okay thank you, both of your regexp woocock and rsenett_splunk are matching what I want, which is perfect.
However, I still don't receive anything in the dashboard. The sourcetype is fine in the license. I have updated my first post with your regex: it is all up to date.

0 Karma
Highlighted

Re: Index time field extraction: regexp issue

Esteemed Legend

Post your dashboard xml.

0 Karma
Highlighted

Re: Index time field extraction: regexp issue

Explorer

I am just using the search: "sourcetype=generic-name gname=foo", in my Splunk App.

0 Karma