I'm trying to match key-value pair within an SNMP trap message whereby the KEY and VALUE are present in two fields
# Data
var01_oid=1.3.6.1.4.1.123.5.5 var01_value=3 var02_oid=1.3.6.1.4.1.112.5.9 var02_value=2/9 var03_oid=1.3.6.1.4.1.345.5.3 var03_value=admin var04_oid=1.3.6.1.4.1.678.5.4 var04_value=10.0.2.48
SPL and regex101 works correctly
| rex var01_oid=(?<oid_>\S+)\svar01_value=(?<oid_val>\S+)
https://regex101.com/r/wV1qOZ/2
But when I put into transforms/props, it fetches only the 1st digit in the extraction (not the entire oid)
[my_transform]
REGEX=var01_oid=(\S+)\svar01_value=(\S+)
FORMAT = oid_$1::$2
# I've put oid_ so the key starts with alphabet, but output shows as oid_1 = 3 (I was expecting oid_1.3.6.1.4.1.123.5.5 = 3)
Any chance, why splunk transforms.conf different from other systems?
Edit: it seems the question comes to if Splunk will allow "." dot in the fieldname !?
Hi koshyk,
probably it's the same thing, but try using [^ ]+
instead \S+
Bye.
giuseppe
tried, but same result 😞
I tried on Regex101 and runs (https://regex101.com/r/VwkPrG/1) with
var0\d_oid=(?<oid_>\S+)\svar0\d_value=(?<oid_val>\S+)
Bye.
Giuseppe
hi cusello, as mentioned in my query it works in regex and in SPL. but NOT when you into splunk conf files
See if disabling CLEAN_KEYS will fix it.
CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it
extracts at search time.
"Key cleaning" is the practice of replacing any non-alphanumeric
characters (characters other than those falling between the a-z, A-Z, or
0-9 ranges) in field names with underscores, as well as the stripping of
leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field
names that include non-alphanumeric characters, or which begin with
underscores or 0-9 characters.
* Defaults to true.
Default was true. So i tried changing to false and now the value becomes
oid_$1
(which is just specified in the format)
This has to be an issue with valid variable names. Normally, splunk replaces invalid characters with underscores.
In JSON extractions, splunk does go down levels, but 8 levels of .this.that seems a bit much.