Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REGEX/Props.conf - Extracting the same field from multiple places in the same sourcetype?

masonmorales
Influencer
‎11-20-2014 01:16 PM

I have one sourcetype that has a common field, but it's located at different places in the event depending on the message type. I've defined regex and tested it successfully for the three messages types. However, when I try to add the three different regex's to props.conf with the same field name, only the first one gets processed. How can I define multiple regex patterns to extract the same field name in the same source type?

The field that I am trying to extract is an aircraft tail number: N999XY in the examples below.

Message Type #1

Nov 20 20:54:33 host.mydomain.net ACCT_INTERIM,N999XY,99.99.99.99,N999XY_20141120150929,AABBCCDDEEFF,99.99.99.99,1A6F9EB7-B4EF-46CD-BCA6-024DC4360C5D,HOTSPOT_6,12345678,1234567,

Regex for Type #1

(ACCT_INTERIM|ACCT_START|ACCT_STOP),(?P[^,]+),

Message Type #2

Nov 20 20:34:44 host.mydomain.net ACCESS-ACCEPT,0,99.99.99.99,N999XY_20141120185555,AABBCCDDEEFF,HOTSPOT_6,

Regex for Type #2

ACCESS-ACCEPT,[^,]+,[^,]+,(?P[^_]+)_

Message Type #3

Nov 20 20:40:49 host.mydomain.net DHCP_REQUEST,123456789,AABBCCDDEEFF,99.99.99.99,12345678,AA:BB:CC:DD:EE:FF@UNASSIGNED,N999XY,

Regex for Type #3

DHCP_REQUEST ,(?P[^,]+),$

Props.conf (/splunk/etc/system/local/props.conf)

[nms_servers_user]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = False
KV_MODE = None
TZ=GMT
EXTRACT-host_fqdn = \w+\s+\d+\s+\d+:\d+:\d+\s+(?P[^\s]+)
EXTRACT-msgtype = \.\w{3}\s+(?P[^,]+),
EXTRACT-tail = (ACCT_INTERIM|ACCT_START|ACCT_STOP),(?P[^,]+),
EXTRACT-tail = ACCESS-ACCEPT,[^,]+,[^,]+,(?P[^_]+)_
EXTRACT-tail = DHCP_REQUEST ,(?P[^,]+),$

Thanks in advance for your help!

Reply
1 Solution
Solved! Jump to solution
Solution

Yorokobi
SplunkTrust
SplunkTrust
‎11-20-2014 01:25 PM

Use as many EXTRACT-name statements as you need -- keep in mind, the name should be unique -- and use the same extraction you use with | rex (sans the "")

Ex:

EXTRACT-tail1 = ACCT_[INTERIM|START|STOP],(?<tailnum>[^,]+),
EXTRACT-tail2 = DHCP_REQUEST,(?<tailnum>[^,]+),$

View solution in original post

Reply
Solved! Jump to solution
Solution

Yorokobi
SplunkTrust
SplunkTrust
‎11-20-2014 01:25 PM

Use as many EXTRACT-name statements as you need -- keep in mind, the name should be unique -- and use the same extraction you use with | rex (sans the "")

Ex:

EXTRACT-tail1 = ACCT_[INTERIM|START|STOP],(?<tailnum>[^,]+),
EXTRACT-tail2 = DHCP_REQUEST,(?<tailnum>[^,]+),$
Reply
Solved! Jump to solution

masonmorales
Influencer
‎11-20-2014 01:29 PM

That worked perfectly. Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...