Re: index time extraction

aab5272 · ‎07-18-2017

I have to discard keyvalue pair from a event to null queue during index time extraction .Also there are certain key value pairs that i want to extract using Extract .My extract in props.conf is working file but the transform is not working .
here is the configuration:-

props.conf

TRANSFORM-null = setnull

transforms.conf

[setnull]
[ignore]
REGEX = cs\d+Label\=(.*?(?=(?:\s[\w.:\[\]]+=|$)))
REPEAT_MATCH = True
DEST_Key=queue
FORMAT=nullQueue

for belo kind of keyvalue pair is sending the whole event to nullQueue

cs5Label=EventId

Any solution?

jkat54 · ‎07-24-2017

In props.conf you've got the wrong key:

TRANSFORM-null = setnull

Should be

TRANSFORMS-null = setnull

I did the same thing about a month ago and I lost 4 hours of my life or more... vowed never to forget it again and so I spotted it right away on your post.

MuS · ‎07-18-2017

You should edit your post and use for config file content the little Code 101010 button or select the text and press CTRL-K this will keep everything as code.

Like your [setnull] stanza is empty, is that lost because of the formatting or is there actually nothing?

cheers, MuS

aab5272 · ‎07-18-2017

consider below configuration.

props.conf

TRANSFORM-null = setnull

transforms.conf

[setnull]
REGEX = cs\d+Label=(.*?(?=(?:\s[\w.:[]]+=|$)))
REPEAT_MATCH = True
DEST_Key=queue
FORMAT=nullQueue

for below kind of keyvalue pair is sending the whole event to nullQueue

cs5Label=EventId

Any solution?

woodcock · ‎07-24-2017

This is still broken. I have reformatted your code block in your original text. Go back in and DO NOT change the indenting but check/fix the character strings.

index time extraction

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life