Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

REGEX/Props.conf - Extracting the same field from multiple places in the same sourcetype?

masonmorales
Influencer
‎11-20-2014 01:16 PM

I have one sourcetype that has a common field, but it's located at different places in the event depending on the message type. I've defined regex and tested it successfully for the three messages types. However, when I try to add the three different regex's to props.conf with the same field name, only the first one gets processed. How can I define multiple regex patterns to extract the same field name in the same source type?

The field that I am trying to extract is an aircraft tail number: N999XY in the examples below.

Message Type #1

Nov 20 20:54:33 host.mydomain.net ACCT_INTERIM,N999XY,99.99.99.99,N999XY_20141120150929,AABBCCDDEEFF,99.99.99.99,1A6F9EB7-B4EF-46CD-BCA6-024DC4360C5D,HOTSPOT_6,12345678,1234567,

Regex for Type #1

(ACCT_INTERIM|ACCT_START|ACCT_STOP),(?P[^,]+),

Message Type #2

Nov 20 20:34:44 host.mydomain.net ACCESS-ACCEPT,0,99.99.99.99,N999XY_20141120185555,AABBCCDDEEFF,HOTSPOT_6,

Regex for Type #2

ACCESS-ACCEPT,[^,]+,[^,]+,(?P[^_]+)_

Message Type #3

Nov 20 20:40:49 host.mydomain.net DHCP_REQUEST,123456789,AABBCCDDEEFF,99.99.99.99,12345678,AA:BB:CC:DD:EE:FF@UNASSIGNED,N999XY,

Regex for Type #3

DHCP_REQUEST ,(?P[^,]+),$

Props.conf (/splunk/etc/system/local/props.conf)

[nms_servers_user]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = False
KV_MODE = None
TZ=GMT
EXTRACT-host_fqdn = \w+\s+\d+\s+\d+:\d+:\d+\s+(?P[^\s]+)
EXTRACT-msgtype = \.\w{3}\s+(?P[^,]+),
EXTRACT-tail = (ACCT_INTERIM|ACCT_START|ACCT_STOP),(?P[^,]+),
EXTRACT-tail = ACCESS-ACCEPT,[^,]+,[^,]+,(?P[^_]+)_
EXTRACT-tail = DHCP_REQUEST ,(?P[^,]+),$

Thanks in advance for your help!

Reply
1 Solution
Solved! Jump to solution
Solution

Yorokobi
SplunkTrust
SplunkTrust
‎11-20-2014 01:25 PM

Use as many EXTRACT-name statements as you need -- keep in mind, the name should be unique -- and use the same extraction you use with | rex (sans the "")

Ex:

EXTRACT-tail1 = ACCT_[INTERIM|START|STOP],(?<tailnum>[^,]+),
EXTRACT-tail2 = DHCP_REQUEST,(?<tailnum>[^,]+),$

View solution in original post

Reply
Solved! Jump to solution
Solution

Yorokobi
SplunkTrust
SplunkTrust
‎11-20-2014 01:25 PM

Use as many EXTRACT-name statements as you need -- keep in mind, the name should be unique -- and use the same extraction you use with | rex (sans the "")

Ex:

EXTRACT-tail1 = ACCT_[INTERIM|START|STOP],(?<tailnum>[^,]+),
EXTRACT-tail2 = DHCP_REQUEST,(?<tailnum>[^,]+),$
Reply
Solved! Jump to solution

masonmorales
Influencer
‎11-20-2014 01:29 PM

That worked perfectly. Thank you!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...