Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to determine why an inline regex using rex works, but not when configured as a field extraction.

dfenko
Explorer
‎03-23-2015 10:26 AM

I am trying to track email sending logs, using information that we adjust in the message_id while sending a message.

sourcetype=postfix_syslog postfix_id=057B41F707AA | rex field=message_id "<o-(?P<email_sender>\d+).c-(?P<email_identifier>\d+).m-(?P<email_parameter>\d+)@foobar.org>" | table postfix_id message_id email_sender email_identifier email_parameter sourcetype

During an inline search, those three extracted fields populate the table with integer values, as expected. I then update the field extractions for the sourcetype of postfix_syslog to include the following:

message_id=<o-(?P<email_sender>\d+).c-(?P<email_identifier>\d+).m-(?P<email_parameter>\d+)@foobar.org>

When I run the subsequent search listed below, those fields in the table are not populated.

sourcetype=postfix_syslog postfix_id=057B41F707AA | table postfix_id message_id email_sender email_identifier email_parameter sourcetype

I am using field discovery on the search, and none of those three fields are included on the discovered fields list.

Any help would be appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bjoernjensen
Contributor
‎03-23-2015 12:16 PM

Edit:

Sorry, I am mistaken here: I just had to read carefully through the docs:

You can also configure transforms to:

Extract fields from the values of another field (other than _raw) by using the SOURCE_KEY attribute.

In other words: If you would like to to a search-time field extraction on basis of another search-time field do it with a REPORT-Extraction and transforms.conf. Exactly as @somesoni2 describes.

Extending your corresponding props.conf WILL NOT WORK:

[postfix_syslog]
...
EXTRACT-emailfields = <o-(?P<email_sender>\d+).c-(?P<email_identifier>\d+).m-(?P<email_parameter>\d+)@foobar.org> in message_id

http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Createandmaintainsearch-timefieldextract...

View solution in original post

Reply
Solved! Jump to solution
Solution

bjoernjensen
Contributor
‎03-23-2015 12:16 PM

Edit:

Sorry, I am mistaken here: I just had to read carefully through the docs:

You can also configure transforms to:

Extract fields from the values of another field (other than _raw) by using the SOURCE_KEY attribute.

In other words: If you would like to to a search-time field extraction on basis of another search-time field do it with a REPORT-Extraction and transforms.conf. Exactly as @somesoni2 describes.

Extending your corresponding props.conf WILL NOT WORK:

[postfix_syslog]
...
EXTRACT-emailfields = <o-(?P<email_sender>\d+).c-(?P<email_identifier>\d+).m-(?P<email_parameter>\d+)@foobar.org> in message_id

http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Createandmaintainsearch-timefieldextract...

Reply
Solved! Jump to solution

dfenko
Explorer
‎03-23-2015 12:22 PM

I was under the understanding that using the field extractions option in the UI was the equivalent of updating the props.conf with the EXTRACT above. Am I thoroughly off-base here?

0 Karma
Reply
Solved! Jump to solution

bjoernjensen
Contributor
‎03-23-2015 01:19 PM

Conceptually the functionality of the UI has to be a subset of what splunk can accomplish as a whole. This may be a big subset, but I think there will always be things that are not fully implemented in the UI.

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-23-2015 01:56 PM

Agreed. Till the time you become proficient in Splunk, you can use UI to do most of your stuff, but once you get a handle of things, you'll find implementing through configuration files is much more simpler/straightforward.

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-23-2015 11:04 AM

I believe you would have to create a field transform for this extraction as you're not using _raw field values. See this on how to use field transform to setup this field extraction. After that, once restarted/reloaded, you should be able to use them in your search.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Managefieldtransforms
http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Createandmaintainsearch-timefieldextract...

Reply
Solved! Jump to solution

dfenko
Explorer
‎03-23-2015 11:08 AM

Within the same set of logs there are existing, working, extractions for discovered fields not using _raw.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-23-2015 12:20 PM

Instead of _raw, try to use your field "message_id" as the Source Key. It should be like this for you

props.conf
[Yoursourcetype]
...existing entries...
REPORT-msgfields = getmessagefields

transforms.conf
[getmessagefields]
SOURCE_KEY = message_id
REGEX = <o-(?P<email_sender>\d+).c-(?P<email_identifier>\d+).m-(?P<email_parameter>\d+)@foobar.org>
Reply
Solved! Jump to solution

dfenko
Explorer
‎03-23-2015 12:43 PM

Thank you. I'll take a look.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...