Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

moving rex to props and transforms not woking

sajeshpp
Path Finder
‎07-03-2017 03:30 AM

Hi,
I am monitoring print events from windows event logs using WinEventLog:Microsoft-Windows-PrintService/Operational.
inputs.conf
[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0
index = index1
sourcetype = winprint

The events getting indexed and fields are extracted as key value pair in logs.

06/19/2017 09:56:22 AM
LogName=Microsoft-Windows-PrintService/Operational
SourceName=Microsoft-Windows-PrintService
EventCode=307
EventType=4
Type=Information
ComputerName=hostname.net
User=NOT_TRANSLATED
Sid=sid
SidType=0
TaskCategory=Printing a document
OpCode=Spooler Operation Succeeded
RecordNumber=541
Keywords=Document Print Job, Classic Spooler Event

Message="Document 4, TRAVEL EXPENSE STATEMENT.pdf owned by user1 on \host1 was printed on P-1234567 through port p-1234567.server.com. Size in bytes: 1695734. Pages printed: 3. No user action is required."

I need to extract the values from Message filed and assigned to new fields and it is working using below search with rex command.

index = index1| rex field=Message "(?:\w+\s\d+,\s)(?.+)(?:\sowned\sby\s)(?\w+)(?:\son.+printed\son\s)(?\w+-\d+)(?:.+Size\s\w+\s\w+:\s)(?\d+)(?:.\s\w+\s\w+:\s)(?\d+)"

I need this field extraction to be done with props and transforms instead of rex.

props.conf
[winprint]
REPORT-field_ext = extfield

transforms.conf
[extfield]
SOURCE_KEY = Message
MV_ADD = true
REGEX = "(?:\w+\s\d+,\s)(?.+)(?:\sowned\sby\s)(?\w+)(?:\son.+printed\son\s)(?\w+-\d+)(?:.+Size\s\w+\s\w+:\s)(?\d+)(?:.\s\w+\s\w+:\s)(?\d+)"

None of the fields are extracting with this props and transforms but works with rex.

Can some one please suggest what is the issue with this configuration and help to resolve the issue.

Thanks,
Sajesh

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sajeshpp
Path Finder
‎07-05-2017 02:47 AM

I suspect the issue with using transforms is, The filed "Message" that I am using as source key is extracted during search time. But you can use a field as source key if it is indexed field.

So, I got my requirement met by doing inline extraction instead of transforms.
I have used below settings in props to extract and it extracted required fields.

EXTRACT-printfields= Message="\w+\s\d+,\s(?.+)\sowned\sby\s(?\w+)\son.+printed\son\s(?\w+-\d+).+Size\s\w+\s\w+:\s(?\d+).\s\w+\s\w+:\s(?\d+)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-05-2017 07:41 AM

Try this,

props.conf
[winprint]
REPORT-field_ext = extfield

transforms.conf
[extfield]
REGEX = Message=\"(\S+\s\d+\,\s\S+.)\sowned\sby\s(\w+)\son\s(\S+.)\sSize\s\S+\s\S+\s(\d+).\s+Pages\sprinted:\s(\d+).\s\S+.*.\"
FORMAT = docname::$1 user::$2 printer::$3 size::$4 pages::$5

0 Karma
Reply
Solved! Jump to solution

sajeshpp
Path Finder
‎07-12-2017 05:16 AM

Tried these settings. but I cannot find the fields extracted.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎07-05-2017 07:15 AM

@sajeshpp - Be sure to mark your code as code. Otherwise, the interface will strip some tags out of it - words in angle brackets and so on < >

0 Karma
Reply
Solved! Jump to solution
Solution

sajeshpp
Path Finder
‎07-05-2017 02:47 AM

I suspect the issue with using transforms is, The filed "Message" that I am using as source key is extracted during search time. But you can use a field as source key if it is indexed field.

So, I got my requirement met by doing inline extraction instead of transforms.
I have used below settings in props to extract and it extracted required fields.

EXTRACT-printfields= Message="\w+\s\d+,\s(?.+)\sowned\sby\s(?\w+)\son.+printed\son\s(?\w+-\d+).+Size\s\w+\s\w+:\s(?\d+).\s\w+\s\w+:\s(?\d+)

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎07-05-2017 07:20 AM

Sounds correct. Please accept your answer, so the question will show as answered.

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎07-03-2017 08:12 AM

Why are you wanting to do the field extractions at index time? That defeats one of the key features of Splunk - the ability to apply different views on the same data because the field extractions happen at search time instead of index time.

If you want to extract the fields automatically, that is easy and much better than at index time. Use the Field Extraction Tool if you want, but since you have such a good regular expression already, just add the new field extraction from the Settings -> Fields -> Field extractions page.

If you use the Windows TA, it will do the field extractions at search time. By default, fields are not extracted at index time in Splunk - there is a reason for that - a very good one.

0 Karma
Reply
Solved! Jump to solution

sajeshpp
Path Finder
‎07-03-2017 11:53 PM

As I am using REPORT- in props.conf, it will do search time field extraction not index time ?
I am already using Windows TA. But it does not extract these fields.

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-05-2017 07:41 AM

Try this,

props.conf
[winprint]
REPORT-field_ext = extfield

transforms.conf
[extfield]
REGEX = Message=\"(\S+\s\d+\,\s\S+.)\sowned\sby\s(\w+)\son\s(\S+.)\sSize\s\S+\s\S+\s(\d+).\s+Pages\sprinted:\s(\d+).\s\S+.*.\"
FORMAT = docname::$1 user::$2 printer::$3 size::$4 pages::$5

0 Karma
Reply
Solved! Jump to solution

WalshyB
Path Finder
‎07-03-2017 04:23 AM

Regex does not require it to be wrapped in quotes, it may be thinking that is part of the string?

Also have you checked the metadata to ensure you are able to see the extraction?
local.meta
[]
access = read : [*], write : [admin,...]
export = system

Reply
Solved! Jump to solution

sajeshpp
Path Finder
‎07-03-2017 05:29 AM

-bash-4.1$ cat transforms.conf
[extfield]
SOURCE_KEY = Message
MV_ADD = true
REGEX = (?:\w+\s\d+,\s)(?.+)(?:\sowned\sby\s)(?\w+)(?:\son.+printed\son\s)(?\w+-\d+)(?:.+Size\s\w+\s\w+:\s)(?\d+)(?:.\s\w+\s\w+:\s)(?\d+)

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-03-2017 07:49 AM

use the field extractor with gui.
check the props and transforms it created and then apply.
also, do you use the Splunk TA for Windows?

0 Karma
Reply
Solved! Jump to solution

sajeshpp
Path Finder
‎07-04-2017 12:44 AM

I am using TA for windows. But that didn't help.
Tried field extractor with GUI. It did not create props and transforms instead it created inline field EXRACT entry in $SPLUNK_HOME/etc/users//search/local/props.conf.

EXTRACT-docname,user,printer,size,pages = \n(?:Message=")(?:\w+\s\d+,\s)(?.+)(?:\sowned\sby\s)(?\w+)(?:\son.+printed\son\s)(?\w+-\d+)(?:.+Size\s\w+\s\w+:\s)(?\d+)(?:.\s\w+\s\w+:\s)(?\d+)

The fields are extracting with this settings, but I am not sure if this the recommended method to use it.
Is there any way we can convert this into transforms ?

0 Karma
Reply
Solved! Jump to solution

sajeshpp
Path Finder
‎07-03-2017 05:26 AM

I have removed the quotes from REGEX. still no luck.

here is my metadata.
local.meta
[]
access = read : [ * ], write : [ admin ]
export = system

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...