Re: not able to extract fields using TRANSFORMS.co...

rbsplunktest · ‎11-15-2015

Files at C:\Program Files\Splunk\etc\system\local

transforms.conf

[function_coverage]
REGEX =(fn).(name)(=)\".*?\".(fn_cov)(=)\"(.)\" 
FORMAT = xfncov::$1
WRITE_META = true
REPEAT_MATCH = true

props.conf

[customXML]
KV_MODE = xml
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
category = Structured
disabled = false
pulldown_type = true
BREAK_ONLY_BEFORE = src name="
MAX_EVENTS = 3000
xmlkv maxinputs=10000
TRANSFORMS-funcov = function_coverage

fields.conf

[xfncov]
INDEXED=true

Data in one of my events looks like:

.......
src name="ACRBase.hpp" mtime="1379335836" fn_cov="15" fn_total="19" cd_cov="9" cd_total="16" d_cov="9" d_total="16">
fn name="ACRPublic::C_SmartPtr<T>::addRef() const" fn_cov="1" fn_total="1" cd_cov="2" cd_total="2" d_cov="2" d_total="2">
probe line="46" column="4" kind="function" event="full"/>
probe line="48" kind="decision" event="full"/>
/fn>
fn name="ACRPublic::C_SmartPtr<T>::release() const" fn_cov="0" fn_total="1" cd_cov="2" cd_total="2" d_cov="2" d_total="2">
probe line="58" column="4" kind="function" event="full"/>
probe line="60" kind="decision" event="full"/>
/fn>
............
/src>
src...

I am trying to create index xfncov having fn name="ACRPublic::C_SmartPtr<T>::addRef() const" fn_cov="1"
This regex works in search using ...|regex _raw, but I am not getting any new index using the above transform. I am not able to debug where the problem is.

Can someone help?

esix_splunk · ‎11-15-2015

Have you created the physical index named "xfncov" on your indexers? Once you do this, assign the index name to the inputs for your sourcetype.

rbsplunktest · ‎11-18-2015

I have corrected my issue of field extraction by correcting my regex.

REGEX = (fn.name=/".*/".fn_cov=/"./")

But the problem is that the extracted field values have only the first match per event, thought there are multiple matches for the REGEX in an event and I want all the matches as values of extracted field.
what should I do for this??

richgalloway · ‎11-18-2015

Add MV_ADD=1 to your transforms.conf file.

---
If this reply helps you, Karma would be appreciated.

rbsplunktest · ‎11-18-2015

Thanks a lot. Now multiple fields are getting extracted. But there is one issue.

In one event I have below two texts that should match with the REGEX. These are the last two entries in one event matching the REGEX. But the last one is not getting extracted. Do you see any reason for that?

fn name="ACRPublic::C_SmartPtr<T>::debugGetRefCount() const" fn_cov="1"
fn name="ACRPublic::C_SmartPtr<T>::debugGetRefCountAddr() const" fn_cov="0"

In an another event there is only one entry and it is getting extracted.

rbsplunktest · ‎11-18-2015

It seems there is a cap on the max number of fields can be extracted per event. I tried increasing possible texts per event. In one event 18 out of 19 possible matches are extracted in another event 23 out of 25 and in one other 23 out of 30.

richgalloway · ‎11-19-2015

In my experience, regex strings fail to match when the target is slightly different from what was expected. I'm not aware of any limit to the number of fields a regex can extract.

---
If this reply helps you, Karma would be appreciated.

rbsplunktest · ‎11-22-2015

Thanks Rich Galloway,

I have even tried by just changing the string with only one number i.e if first occurrence have function1 then I have copied function2, function 3 and so on but Field extraction only extract till a point, which is not fixed. So, REGEX should not be an issue.

rbsplunktest · ‎11-16-2015

I am sorry for my language. I am editing the title.
"xfncov" will come into interesting fields automatically and will have values to which the REGEX will match isn't it?
I think this is the way of extracting the fields at the time of indexing. am I right?

not able to extract fields using TRANSFORMS.conf

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Access Tokens Page - New & Improved