Solved: Limit in manual editing regex

javo · ‎01-11-2013

Hello there

What I'm doing is extracting fields from my log file and every entry has about 20 fields separated by commas, some of them empty. Something like this:

FULL,34,32136783,2012-03-07 14:23:43,120,,0,4|0|65|1|02,no_failure,,,,,,,no_text,10%,145432236,15-47658995,-1

(Please note the repeated commas twice, that's not a typing mistake. Those are empty fields)

It happens that I need to edit manualy the regex because the automatic recognition doesn't work well, but the windows dialog that opens by clicking 'Edit' doesn't let me write the very long regular expression I need. I can write exactly 200 characters and my regex is at least two times longer. And there you go:

^(?P<FIELDNAME1>[^,]+),(?P<FIELDNAME2>[^,]+),(?P<FIELDNAME3>[^,]+),... and so on 20 times

So, does anyone know how to solve this inconvenient? Another way to tell Splunk to extract those 20 fields? Or perhaps an equivalent, shorter regex?

Thank you whoever helps!

sbrant_splunk · ‎01-13-2013

Using props and transforms in this case is the right thing to do, if you can. An alternative, if you were to not have access, may be to use multiple extractions to get all of the fields, using a regex such as this:

^(?:(?<field1>[^,]*),){1}             # catches the first field
^(?:(?<field2>[^,]*),){2}             # catches the second field
.
.
.
^(?:(?<field20>[^,]*),){20}            # 20

View solution in original post

sbrant_splunk · ‎01-13-2013

Using props and transforms in this case is the right thing to do, if you can. An alternative, if you were to not have access, may be to use multiple extractions to get all of the fields, using a regex such as this:

^(?:(?<field1>[^,]*),){1}             # catches the first field
^(?:(?<field2>[^,]*),){2}             # catches the second field
.
.
.
^(?:(?<field20>[^,]*),){20}            # 20

Drainy · ‎01-14-2013

Props.conf
[host::foo]
TRANSFORMS-foo=netscreen-error-field

Transforms.conf
[netscreen-error-field]
REGEX = device_id=[w+](?[^:]+)
FORMAT = err_code::$1

I've just edited one part from the docs. They are written by users so they are what a regular user would write.

javo · ‎01-14-2013

I don't know, I just want to see something.

Ayn · ‎01-14-2013

What are you missing from the examples? They look very much like what I would write something as a 'regular user'.

javo · ‎01-14-2013

Could anyone show me a user-made props.conf, or at least a piece of it?
I know there is an example in Splunk's directory but it would be much better for me to see something made by a user.

Ayn · ‎01-11-2013

Do you have shell access on the Splunk server? Because what you do in the field extractor in the web interface ultimately ends up in a props.conf / transforms.conf file. By editing that file directly you won't have any problems with limits like this.

javo · ‎01-11-2013

Yes, I do have access. Should I edit both files?

Limit in manual editing regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation