I'm trying to match key-value pair within an SNMP trap message whereby the KEY and VALUE are present in two fields
# Data var01_oid=18.104.22.168.22.214.171.124.5 var01_value=3 var02_oid=126.96.36.199.188.8.131.52.9 var02_value=2/9 var03_oid=184.108.40.206.4.1.345.5.3 var03_value=admin var04_oid=220.127.116.11.4.1.678.5.4 var04_value=10.0.2.48
SPL and regex101 works correctly
| rex var01_oid=(?<oid_>\S+)\svar01_value=(?<oid_val>\S+)
But when I put into transforms/props, it fetches only the 1st digit in the extraction (not the entire oid)
[my_transform] REGEX=var01_oid=(\S+)\svar01_value=(\S+) FORMAT = oid_$1::$2 # I've put oid_ so the key starts with alphabet, but output shows as oid_1 = 3 (I was expecting oid_18.104.22.168.22.214.171.124.5 = 3)
Any chance, why splunk transforms.conf different from other systems?
Edit: it seems the question comes to if Splunk will allow "." dot in the fieldname !?
See if disabling CLEAN_KEYS will fix it.
CLEANKEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it
extracts at search time.
"Key cleaning" is the practice of replacing any non-alphanumeric
characters (characters other than those falling between the a-z, A-Z, or
0-9 ranges) in field names with underscores, as well as the stripping of
leading underscores and 0-9 characters from field names.
* Add CLEANKEYS = false to your transform if you need to extract field
names that include non-alphanumeric characters, or which begin with
underscores or 0-9 characters.
* Defaults to true.
This has to be an issue with valid variable names. Normally, splunk replaces invalid characters with underscores.
In JSON extractions, splunk does go down levels, but 8 levels of .this.that seems a bit much.