Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

props/transforms REPORT- extracting

zislin
Explorer
‎09-27-2013 07:31 AM

Hello,

I am having issues doing search time extraction via REPORT- command in props and transforms.
Here is my code.

props.conf:

[mySourceType]
SHOULD_LINEMERGE = false
KV_MODE = none
EXTRACT-myEventType = some regex which does work to extract one field
REPORT-myDHCP = dhcpack_type1, dhcpack_type2

transforms.conf

[dhcpack_type1]
REGEX=\s(dhcpd).+]\:\s(DHCPACK)\son\s(\S+)\sto\s(\S+)\s(?:\(([^\)]+)\)\s)?via\s(\S+)
FORMAT=process::$1 dhcp_message::$2 src_ip::$3 src_mac::$4 src_host::$5 dest_int::$6

[dhcpack_type2]
REGEX=\s(dhcpd).+]\:\s(DHCPACK)\sto\s(\S+)\s(?:\(([^\)]+)\)\s)?via\s(\S+)
FORMAT=process::$1 dhcp_message::$2 src_ip::$3 src_mac::$4 dest_int::$5

Here are two events which get hit by these two respective regexes.

10:27:33.000 AM     

Sep 27 10:27:33 11.111.11.11 dhcpd[12345]: DHCPACK on 22.222.22.22 to 00:aa:bb:cc:dd:ee (somehostname) via eth1 relay eth1 lease-duration 1814400 (RENEW)

Sep 27 10:27:33 11.111.11.11 dhcpd[12345]: DHCPACK to 12.12.12.12 (00:bb:cc:11:22:33) via eth1

When I search for my source type i do not get my fields extracted. I've tested the regex, it is fine. I am at loss how else I can troubleshoot this.

Thanks.

Reply

sonny_monti
Path Finder
‎05-17-2019 12:47 AM

Are you aliasing those fields later?
If you alias fields in the props.conf file and you use for example:
FIELDALIAS- = (orig_field_name AS|ASNEW new_field_name)

In case you use AS, if the original fieldname is not found splunk deletes the new fieldname, so if for some reason a event does not contain it, it would delete the new, to fix this problem, use ASNEW.

When these problem happens my approach is to read the .conf documentation

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎09-27-2013 10:29 AM

I would start by checking the metadata/*.meta files and verify that those extractions are permissioned correctly.

0 Karma
Reply

zislin
Explorer
‎09-27-2013 10:57 AM

I have the following in default.meta:

[]
access = read : [ * ], write : [ admin ]
export = system

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...