Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using RegEx in Props.conf

_gkollias
Builder
‎01-18-2014 10:22 AM

Hi All,

I'm new to using regex, and I've recently made some changes that were pushed to our Splunk production which I'm (unfortunately) unable to see.

I'm hoping one will be able to give me feedback on a stanza I've created to verify that I'm using it correctly.

Here is the portion of the log I'd like to extract:

08/19/2013 10:51:31 PM - Process(x) User(y) Program(z)
                Host(linux.host.com)
ABC1234: String.

EXPLANATION

…Basically everything before “EXPLANATION”, and then the next log would continue as the same.

Here is the stanza I've created:

[props_name]
LINE_BREAKER = ([\r\n]+))
BREAK_ONLY_BEFORE = "("+EXPLANATION+")"+"\n"
SHOULD_LINEMERGE = false
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y_%H:%M:%S %p
MAX_TIMESTAMP_LOOKAHEAD = 23
EXTRACT-props_name = ^.+\s+(?<Process>[^\s]+)\s+(?<User>[^\s]+)\s+(?<Program>[^\s]+)\s+(?<Host>[^\s]+)\s+(?<ABC[^0-9][0-9]{4}[^0-9]>[^\s%]+)

If it’s not too much trouble or too time-consuming, I’d greatly appreciate feedback on this.

Thank You!

Tags (3)
0 Karma
Reply

Ayn
Legend
‎01-18-2014 01:46 PM

It's a good idea to test your regexes using something like for instance regexpal - http://www.regexpal.com/ - or RegExr - http://gskinner.com/RegExr/ .

In your case the sample log you show supposedly starts with a timestamp which makes your extraction fail - but maybe the timestamp isn't really part of the log, just something that you included from Splunk's own output?

0 Karma
Reply

_gkollias
Builder
‎01-18-2014 02:13 PM

That timestamp is actually part of the log. I've come across many instances where I've used the MAX_TIMESTAMP_LOOKAHEAD and other time-like attributes that have been great. Being that these logs are more human-friendly than computer-friendly (ex name=value format where Splunk can auto extract the values) using regex to extract would be a great help, but I'm not too sure I've used it properly. I'll take a look at the link you gave me...Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...