Splunk Search
Highlighted

rex command to regex in transforms.conf

Explorer

This rex statement works in search command: rex field=source "3......(?P.+?)rly"
I would like to convert it into REGEX statement in transforms.conf file.
What should be the REGEX statement?

Thanks in advanced.

0 Karma
Highlighted

Re: rex command to regex in transforms.conf

Motivator

Assuming this is a search time extraction, you simply need to identify the field to "look" at as SOURCE_KEY (if you omit that, the default SOURCE_KEY is _raw
The regex is fine as, is. Since you are extracting a field and not asking Splunk to produce the key value pair dynamically... you specify it in the regex as you've done... and then you can, for documentation, specify the format.


[procname]
SOURCE_KEY = source
REGEX = 3......(?P.+?)rly
FORMAT = procname::$1

Be sure to call the stanza, procname, in my example from a REPORT- directive in the props.conf

The transforms.conf spec here shows a slightly different example, where the SOURCE_KEY defaults to raw and the transform is actually renaming the KEY of a KEY value pair already in the data... but it's the same principal.


[netscreen-error-field]
REGEX = device_id=[w+](?[^:]+)
FORMAT = err_code::$1

Here is a complete walk through all sorts of search time extractions using props.conf and transforms.conf for reference.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: rex command to regex in transforms.conf

Explorer

Thanks. But Splunk doesn't pick it up. Here is what I have in props.conf and transforms.conf.

props.conf:
[source::/logs/dxserver/3*_query_*.log]
REPORT-queryLog = dsaname

transforms.conf:
[dsaname]
SOURCE_KEY = source
REGEX = 3......(?P.+?)rly
FORMAT = dsaname::$1

Example of the source field = "/logs/dxserver/3wtxq20corerly1_query_20140601.log". I expect the dsaname field equals to 'core' (without the qoute).

Any syntax or format errors?
Thanks.

0 Karma
Highlighted

Re: rex command to regex in transforms.conf

Motivator

I'd also suggest this page. It's a nice, easy walkthrough of using transforms.conf and props.conf for field extractions.

0 Karma