Splunk Search

Regex help in transforms : key-value extraction and assigning to key

Super Champion

I'm trying to match key-value pair within an SNMP trap message whereby the KEY and VALUE are present in two fields

# Data
var01_oid=1.3.6.1.4.1.123.5.5 var01_value=3 var02_oid=1.3.6.1.4.1.112.5.9 var02_value=2/9 var03_oid=1.3.6.1.4.1.345.5.3 var03_value=admin var04_oid=1.3.6.1.4.1.678.5.4 var04_value=10.0.2.48 

SPL and regex101 works correctly

| rex var01_oid=(?<oid_>\S+)\svar01_value=(?<oid_val>\S+)

https://regex101.com/r/wV1qOZ/2

But when I put into transforms/props, it fetches only the 1st digit in the extraction (not the entire oid)

[my_transform]
REGEX=var01_oid=(\S+)\svar01_value=(\S+)
FORMAT = oid_$1::$2
# I've put oid_ so the key starts with alphabet, but output shows as  oid_1 = 3    (I was expecting oid_1.3.6.1.4.1.123.5.5 = 3)

Any chance, why splunk transforms.conf different from other systems?

Edit: it seems the question comes to if Splunk will allow "." dot in the fieldname !?

0 Karma

Legend

Hi koshyk,
probably it's the same thing, but try using [^ ]+ instead \S+
Bye.
giuseppe

0 Karma

Super Champion

tried, but same result 😞

0 Karma

Legend

I tried on Regex101 and runs (https://regex101.com/r/VwkPrG/1) with

var0\d_oid=(?<oid_>\S+)\svar0\d_value=(?<oid_val>\S+)

Bye.
Giuseppe

0 Karma

Super Champion

hi cusello, as mentioned in my query it works in regex and in SPL. but NOT when you into splunk conf files

0 Karma

SplunkTrust
SplunkTrust

See if disabling CLEAN_KEYS will fix it.

CLEANKEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it
extracts at search time.
"Key cleaning" is the practice of replacing any non-alphanumeric
characters (characters other than those falling between the a-z, A-Z, or
0-9 ranges) in field names with underscores, as well as the stripping of
leading underscores and 0-9 characters from field names.
* Add CLEAN
KEYS = false to your transform if you need to extract field
names that include non-alphanumeric characters, or which begin with
underscores or 0-9 characters.
* Defaults to true.

0 Karma

Super Champion

Default was true. So i tried changing to false and now the value becomes

oid_$1

(which is just specified in the format)

0 Karma

SplunkTrust
SplunkTrust

This has to be an issue with valid variable names. Normally, splunk replaces invalid characters with underscores.

In JSON extractions, splunk does go down levels, but 8 levels of .this.that seems a bit much.

0 Karma