Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REGEX/Props.conf - Extracting the same field from multiple places in the same sourcetype?

masonmorales
Influencer
‎11-20-2014 01:16 PM

I have one sourcetype that has a common field, but it's located at different places in the event depending on the message type. I've defined regex and tested it successfully for the three messages types. However, when I try to add the three different regex's to props.conf with the same field name, only the first one gets processed. How can I define multiple regex patterns to extract the same field name in the same source type?

The field that I am trying to extract is an aircraft tail number: N999XY in the examples below.

Message Type #1

Nov 20 20:54:33 host.mydomain.net ACCT_INTERIM,N999XY,99.99.99.99,N999XY_20141120150929,AABBCCDDEEFF,99.99.99.99,1A6F9EB7-B4EF-46CD-BCA6-024DC4360C5D,HOTSPOT_6,12345678,1234567,

Regex for Type #1

(ACCT_INTERIM|ACCT_START|ACCT_STOP),(?P[^,]+),

Message Type #2

Nov 20 20:34:44 host.mydomain.net ACCESS-ACCEPT,0,99.99.99.99,N999XY_20141120185555,AABBCCDDEEFF,HOTSPOT_6,

Regex for Type #2

ACCESS-ACCEPT,[^,]+,[^,]+,(?P[^_]+)_

Message Type #3

Nov 20 20:40:49 host.mydomain.net DHCP_REQUEST,123456789,AABBCCDDEEFF,99.99.99.99,12345678,AA:BB:CC:DD:EE:FF@UNASSIGNED,N999XY,

Regex for Type #3

DHCP_REQUEST ,(?P[^,]+),$

Props.conf (/splunk/etc/system/local/props.conf)

[nms_servers_user]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = False
KV_MODE = None
TZ=GMT
EXTRACT-host_fqdn = \w+\s+\d+\s+\d+:\d+:\d+\s+(?P[^\s]+)
EXTRACT-msgtype = \.\w{3}\s+(?P[^,]+),
EXTRACT-tail = (ACCT_INTERIM|ACCT_START|ACCT_STOP),(?P[^,]+),
EXTRACT-tail = ACCESS-ACCEPT,[^,]+,[^,]+,(?P[^_]+)_
EXTRACT-tail = DHCP_REQUEST ,(?P[^,]+),$

Thanks in advance for your help!

Reply
1 Solution
Solved! Jump to solution
Solution

Yorokobi
SplunkTrust
SplunkTrust
‎11-20-2014 01:25 PM

Use as many EXTRACT-name statements as you need -- keep in mind, the name should be unique -- and use the same extraction you use with | rex (sans the "")

Ex:

EXTRACT-tail1 = ACCT_[INTERIM|START|STOP],(?<tailnum>[^,]+),
EXTRACT-tail2 = DHCP_REQUEST,(?<tailnum>[^,]+),$

View solution in original post

Reply
Solved! Jump to solution
Solution

Yorokobi
SplunkTrust
SplunkTrust
‎11-20-2014 01:25 PM

Use as many EXTRACT-name statements as you need -- keep in mind, the name should be unique -- and use the same extraction you use with | rex (sans the "")

Ex:

EXTRACT-tail1 = ACCT_[INTERIM|START|STOP],(?<tailnum>[^,]+),
EXTRACT-tail2 = DHCP_REQUEST,(?<tailnum>[^,]+),$
Reply
Solved! Jump to solution

masonmorales
Influencer
‎11-20-2014 01:29 PM

That worked perfectly. Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...