Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REGEX/Props.conf - Extracting the same field from multiple places in the same sourcetype?

masonmorales
Influencer
‎11-20-2014 01:16 PM

I have one sourcetype that has a common field, but it's located at different places in the event depending on the message type. I've defined regex and tested it successfully for the three messages types. However, when I try to add the three different regex's to props.conf with the same field name, only the first one gets processed. How can I define multiple regex patterns to extract the same field name in the same source type?

The field that I am trying to extract is an aircraft tail number: N999XY in the examples below.

Message Type #1

Nov 20 20:54:33 host.mydomain.net ACCT_INTERIM,N999XY,99.99.99.99,N999XY_20141120150929,AABBCCDDEEFF,99.99.99.99,1A6F9EB7-B4EF-46CD-BCA6-024DC4360C5D,HOTSPOT_6,12345678,1234567,

Regex for Type #1

(ACCT_INTERIM|ACCT_START|ACCT_STOP),(?P[^,]+),

Message Type #2

Nov 20 20:34:44 host.mydomain.net ACCESS-ACCEPT,0,99.99.99.99,N999XY_20141120185555,AABBCCDDEEFF,HOTSPOT_6,

Regex for Type #2

ACCESS-ACCEPT,[^,]+,[^,]+,(?P[^_]+)_

Message Type #3

Nov 20 20:40:49 host.mydomain.net DHCP_REQUEST,123456789,AABBCCDDEEFF,99.99.99.99,12345678,AA:BB:CC:DD:EE:FF@UNASSIGNED,N999XY,

Regex for Type #3

DHCP_REQUEST ,(?P[^,]+),$

Props.conf (/splunk/etc/system/local/props.conf)

[nms_servers_user]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = False
KV_MODE = None
TZ=GMT
EXTRACT-host_fqdn = \w+\s+\d+\s+\d+:\d+:\d+\s+(?P[^\s]+)
EXTRACT-msgtype = \.\w{3}\s+(?P[^,]+),
EXTRACT-tail = (ACCT_INTERIM|ACCT_START|ACCT_STOP),(?P[^,]+),
EXTRACT-tail = ACCESS-ACCEPT,[^,]+,[^,]+,(?P[^_]+)_
EXTRACT-tail = DHCP_REQUEST ,(?P[^,]+),$

Thanks in advance for your help!

Reply
1 Solution
Solved! Jump to solution
Solution

Yorokobi
SplunkTrust
SplunkTrust
‎11-20-2014 01:25 PM

Use as many EXTRACT-name statements as you need -- keep in mind, the name should be unique -- and use the same extraction you use with | rex (sans the "")

Ex:

EXTRACT-tail1 = ACCT_[INTERIM|START|STOP],(?<tailnum>[^,]+),
EXTRACT-tail2 = DHCP_REQUEST,(?<tailnum>[^,]+),$

View solution in original post

Reply
Solved! Jump to solution
Solution

Yorokobi
SplunkTrust
SplunkTrust
‎11-20-2014 01:25 PM

Use as many EXTRACT-name statements as you need -- keep in mind, the name should be unique -- and use the same extraction you use with | rex (sans the "")

Ex:

EXTRACT-tail1 = ACCT_[INTERIM|START|STOP],(?<tailnum>[^,]+),
EXTRACT-tail2 = DHCP_REQUEST,(?<tailnum>[^,]+),$
Reply
Solved! Jump to solution

masonmorales
Influencer
‎11-20-2014 01:29 PM

That worked perfectly. Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...