Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SOURCE_Key Extraction

AliMaher
Path Finder
‎06-30-2024 10:23 AM

I Have used the below two events to test the SOURCE_KEY =  

 

<132>1 2023-12-24T09:48:05+00:00 DCSECIDKOASV02 ikeyserver 8244 - [meta sequenceId="2850227"] {Warning}, {RADIUS}, {W-006001}, {An invalid RADIUS packet has been received.}, {0x0C744774DF59FC530462C92D2781B102}, {Source Location:10.240.86.6:1812 (Authentication)}, {Client Location:10.240.86.18:42923}, {Reason:The packet is smaller than minimum size allowed for RADIUS}, {Request ID:101}, {Input Details:0x64656661756C742073656E6420737472696E67}, {Request Type:Indeterminate}
<132>1 2023-12-24T09:48:05+00:00 DCSECIDKOASV02 ikeyserver 8244 - [meta sequenceId="2850228"] {Warning}, {RADIUS}, {W-006001}, {An invalid RADIUS packet has been received.}, {0xBA42228CB3604ECFDEEBC274D3312187}, {Source Location:10.240.86.6:1812 (Authentication)}, {Client Location:10.240.86.19:18721}, {Reason:The packet is smaller than minimum size allowed for RADIUS}, {Request ID:101}, {Input Details:0x64656661756C742073656E6420737472696E67}, {Request Type:Indeterminate}

 

Using the below Regex:

[xmlExtractionIDX]
REGEX = .*?"]\s+\{(?<Severity>\w+)\},\s+\{\w+\},\s+\{(?<DeviceID>[^}]*)\},(.*)
FORMAT = Severity::$1 DeviceID::$2 Last_Part::$3

WRITE_META = true

 

till that it's working fine then i want to add more precise extraction and want to extarct more info from the Last_Part field using the SOURCE_KEY = 

 

[xmlExtractionIDX]
REGEX = .*?"]\s+\{(?<Severity>\w+)\},\s+\{\w+\},\s+\{(?<DeviceID>[^}]*)\},(.*)
FORMAT = Severity::$1 DeviceID::$2 Last_Part::$3
SOURCE_KEY = MetaData:Last_Part
REGEX = Reason:(.*?)\}
FORMAT = Reason::$1
WRITE_META = true

 

But it doesn't work now, Is there any advice to do that using SOURCE_KEY 

 

 

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-30-2024 11:12 AM

Apart from the direct technical answer - you can't have two same settings (two FORMAT entries) in the same stanza. The latter overwrittes the former.

But there are more issues here - why are you trying to use index-time extractions in the first place?

Reply

AliMaher
Path Finder
‎07-01-2024 06:23 AM

I am trying to test the Index Time field extraction, 

and want to know how to refine the field extraction using source_key Keyword.

 

Then how can i refine my Field extraction if i cant use the SOURCE_KEY twice?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-01-2024 07:12 AM

OK. If it's just for testing the functionality, I won't be bugging you about it too much 😉

Just remember that apart from very specific cases index-time extractions are best avoided.

But back to the point - if you want to extract a field from a previously extracted field, you need to have two separate transforms and make sure they are triggered in a proper order.

So you need to first define a transform which extracts a field (or set of fields) from raw data. And then define another transform which extracts your field from an already extracted field. As a bonus you might (if you don't need it indexed) add yet another transform to "delete" (by setting it to null() using INGEST_EVAL) the field extracted in the first step.

Example:

transforms.conf:

[test_extract_payload]
REGEX = payload:\s"([^"]+)"
FORMAT = payload::$1
WRITE_META = true

[test_extract_site]
REGEX = site:\s(\S)+
FORMAT = site::$1
WRITE_META = true
SOURCE_KEY = payload

props.conf:

[my_sourcetype]
TRANSFORMS-extract-site-from-payload = test_extract_payload, test_extract_site

 This way you'll get your site field extracted from an event containing

payload: "whatever whatever site: site1 whatever"

but not from just

"whatever whatever site: site1 whatever"

or

payload: "whatever whatever" site: site1
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...