Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

props/transforms REPORT- extracting

zislin
Explorer
‎09-27-2013 07:31 AM

Hello,

I am having issues doing search time extraction via REPORT- command in props and transforms.
Here is my code.

props.conf:

[mySourceType]
SHOULD_LINEMERGE = false
KV_MODE = none
EXTRACT-myEventType = some regex which does work to extract one field
REPORT-myDHCP = dhcpack_type1, dhcpack_type2

transforms.conf

[dhcpack_type1]
REGEX=\s(dhcpd).+]\:\s(DHCPACK)\son\s(\S+)\sto\s(\S+)\s(?:\(([^\)]+)\)\s)?via\s(\S+)
FORMAT=process::$1 dhcp_message::$2 src_ip::$3 src_mac::$4 src_host::$5 dest_int::$6

[dhcpack_type2]
REGEX=\s(dhcpd).+]\:\s(DHCPACK)\sto\s(\S+)\s(?:\(([^\)]+)\)\s)?via\s(\S+)
FORMAT=process::$1 dhcp_message::$2 src_ip::$3 src_mac::$4 dest_int::$5

Here are two events which get hit by these two respective regexes.

10:27:33.000 AM     

Sep 27 10:27:33 11.111.11.11 dhcpd[12345]: DHCPACK on 22.222.22.22 to 00:aa:bb:cc:dd:ee (somehostname) via eth1 relay eth1 lease-duration 1814400 (RENEW)

Sep 27 10:27:33 11.111.11.11 dhcpd[12345]: DHCPACK to 12.12.12.12 (00:bb:cc:11:22:33) via eth1

When I search for my source type i do not get my fields extracted. I've tested the regex, it is fine. I am at loss how else I can troubleshoot this.

Thanks.

Reply

sonny_monti
Path Finder
‎05-17-2019 12:47 AM

Are you aliasing those fields later?
If you alias fields in the props.conf file and you use for example:
FIELDALIAS- = (orig_field_name AS|ASNEW new_field_name)

In case you use AS, if the original fieldname is not found splunk deletes the new fieldname, so if for some reason a event does not contain it, it would delete the new, to fix this problem, use ASNEW.

When these problem happens my approach is to read the .conf documentation

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎09-27-2013 10:29 AM

I would start by checking the metadata/*.meta files and verify that those extractions are permissioned correctly.

0 Karma
Reply

zislin
Explorer
‎09-27-2013 10:57 AM

I have the following in default.meta:

[]
access = read : [ * ], write : [ admin ]
export = system

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...