Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Regex using transforms.conf

gnovak
Builder
‎01-13-2012 11:11 AM

I'm not quite sure if I'm doing this right or going in the right direction. I have a log where the results are a bunch of numbers. Each number represents the time it took for a specific command to run. The first number represents a command, the second number represents another command, etc.

Here's what the line looks like:

2012-01-11 19:00:05+00 | eap.someregistry.net | 5 | 30 | 4 | 21 | 7 | 45 | 11 | 6 | 13 | 2

I have successfully extracted the eap.someregistry.net and labeled it "server". However I want to extract the numbers as well and have them labeled based on the command that they represent.

Example:

5 would be Login
30 would be Delete
4 would be Create
etc.

I was thinking of using transforms.conf and props.conf for this but I'm not quite sure how to go about this. I don't have a ton of experience using these files for this type of extraction.

I'm reading about props and transforms right now but figured I'd ask this question while I read more. What's the best way to go about doing this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎01-13-2012 05:16 PM

You can perform a search time named field extraction with something like this in props.conf

Replace the fields names(command1, command2 etc...) with your specific command names

[my_sourcetype]
EXTRACT-extract_my_fields = \|\s(?<command1>\d+)\s\|\s(?<command2>\d+)\s\|\s(?<command3>\d+)\s\|\s(?<command4>\d+)\s\|\s(?<command5>\d+)\s\|\s(?<command6>\d+)\s\|\s(?<command7>\d+)\s\|\s(?<command8>\d+)\s\|\s(?<command9>\d+)\s\|\s(?<command10>\d+)

View solution in original post

Reply
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎01-13-2012 05:16 PM

You can perform a search time named field extraction with something like this in props.conf

Replace the fields names(command1, command2 etc...) with your specific command names

[my_sourcetype]
EXTRACT-extract_my_fields = \|\s(?<command1>\d+)\s\|\s(?<command2>\d+)\s\|\s(?<command3>\d+)\s\|\s(?<command4>\d+)\s\|\s(?<command5>\d+)\s\|\s(?<command6>\d+)\s\|\s(?<command7>\d+)\s\|\s(?<command8>\d+)\s\|\s(?<command9>\d+)\s\|\s(?<command10>\d+)
Reply
Solved! Jump to solution

gnovak
Builder
‎01-17-2012 08:46 AM

Ah this worked great. Thanks....good to know for the future!

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎01-13-2012 02:44 PM

So far I've got a monster regex pulling out all of the numbers but I might see about putting this into files...just not sure how to go about doing it..

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...