Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why isn't this field transform working?

dpanych
Communicator
‎01-22-2019 11:58 AM

Hi everyone, I'm having trouble applying the following fields transformation — it's not "parsing" during search time. The regex works fine, it's parsing VALUE, so for example, CODE=22344, but nothing seems to go on during search time. Any help is much appreciated.

Regex:

<([^>]+)>\h+([^<]+)(?:\h+|$)

Sample data:

Jan 22 09:00:00 10.10.0.190 MCS:BS::REPORT::RUN: <Code> 22344 <Type> AUDIT <Severity> PROCESS <Category> SECURITY <User> root <HwSource> MCGUI <Summary> Report ran <report> /Usage Intelligence - Front End Capacity 

Jan 22 09:00:00 10.10.0.190 MCS:BS::REPORT::RUN: <Code> 22344 <Type> AUDIT <Severity> PROCESS <Category> SECURITY <User> root <HwSource> MCGUI <Summary> Report ran <report> /Usage Intelligence - Backend Capacity

Jan 22 08:51:51 10.10.0.190 MCS:AvmgrLoginModule::USER::LOGOFF: <Code> 22343 <Type> AUDIT <Severity> USER <Category> SECURITY <User> MCUser <HwSource> ss-1r <Summary> User logoff successful <action> logout
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎01-23-2019 01:52 AM

Hi,

If you want extract field names and values both from raw data at search time then it is possible using props and transforms.

To accomplish using Splunk Web

  1. Settings -> Fields -> Field Transformations -> New Field Transformation, provide any user friendly name; type regex; copy your regex <([^>]+)>\h+([^<]+)(?:\h+|$) and in format provide $1::$2 and tick Automatically clean field names; Save.
  2. Settings -> Fields -> Field Extractions -> New Field Extraction, provide any user friendly name; select source, host or sourcetype based on your requirement and provide corresponding value in named input; type - select Uses transform; in extraction/Transform provide use friendly name which you have given in step 1 (while creating field transformation); Save

Now search your data with base query and it will automatically extract fields action, category, .... with their values based on regex. I have tested above steps in my lab environment with sample data you have provided and it is extracting various fields with values.

View solution in original post

Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎01-23-2019 01:52 AM

Hi,

If you want extract field names and values both from raw data at search time then it is possible using props and transforms.

To accomplish using Splunk Web

  1. Settings -> Fields -> Field Transformations -> New Field Transformation, provide any user friendly name; type regex; copy your regex <([^>]+)>\h+([^<]+)(?:\h+|$) and in format provide $1::$2 and tick Automatically clean field names; Save.
  2. Settings -> Fields -> Field Extractions -> New Field Extraction, provide any user friendly name; select source, host or sourcetype based on your requirement and provide corresponding value in named input; type - select Uses transform; in extraction/Transform provide use friendly name which you have given in step 1 (while creating field transformation); Save

Now search your data with base query and it will automatically extract fields action, category, .... with their values based on regex. I have tested above steps in my lab environment with sample data you have provided and it is extracting various fields with values.

Reply
Solved! Jump to solution

dpanych
Communicator
‎01-23-2019 02:26 PM

This worked! Thank you very much. I had only the first part done initially.

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎01-22-2019 12:33 PM

Search time regex like this (I would assume you are doing it with a rex command) can't extract the field name in this manner. You won't get any fields because you aren't using a named capture group, only unnamed capture groups. If you want this to work, it would have to be done at index time. If you can't do it at index time you need to extract the fields with named capture groups, which is probably going to be a PITA to do with events that are not equivalent to each other. You may have to do something like:

... | rex "\<code\> (?<Code>\d+)" | rex "<\Type\> (?<type>[^\<]+)\s" | rex ...
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...