Splunk Search

Transform regex resulting in host=$1 in search results

jlixfeld
Path Finder

I've clearly munged something in my transform:

# props.conf

[snmp-trap]
pulldown_type = true 
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = snmp-trap-host
REPORT-snmp-trap = snmp-trap-extractions
SHOULD_LINEMERGE = False


#transform.comf
[snmp-trap-host]
DEST_KEY = MetaData:Host
REGEX = (?:[0-9]{1,3}\.){3}[0-9]{1,3}
FORMAT = host::$1

[snmp-trap-extractions]
REGEX = ^(\d{4}-\d{2}-\d{2})\s(\d{2}:\d{2}:\d{2})\s([a-zA-Z]*)
FORMAT = trap_oid::$3

After | deleting, deleting and re-adding the data input file, my searches are returning:

10/3/11
5:33:40.000 PM  
2011-10-03 17:33:40 mplsVrfIfDown Warning "Status Events" 10.219.49.31 - interface: unknown (index: 275) vrf: Inetv4
host=$1  sourcetype=snmp-trap  source=/var/log/snmptt/snmptt.log

however it should read host=10.219.49.31.

The initial entry from /var/log/snmptt/snmptt.log reads as follows:

2011-10-03 17:33:40 mplsVrfIfDown Warning "Status Events" 10.219.49.31 - interface: unknown (index: 275) vrf: Inetv4

Anyone have any pointers?

1 Solution

_d_
Splunk Employee
Splunk Employee

Try wrapping your REGEX = (?:[0-9]{1,3}.){3}[0-9]{1,3} in parenthesis as such:
REGEX = ((?:[0-9]{1,3}.){3}[0-9]{1,3})

View solution in original post

_d_
Splunk Employee
Splunk Employee

Try wrapping your REGEX = (?:[0-9]{1,3}.){3}[0-9]{1,3} in parenthesis as such:
REGEX = ((?:[0-9]{1,3}.){3}[0-9]{1,3})

_d_
Splunk Employee
Splunk Employee

hmmm...at its present state that will capture only the first three octets of an IP address.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Or simply change the (?:...) (non-capturing group) to a (?...) (capturing group). $1 refers to the contents of the first capturing group in the regex.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...