cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
peterweinstein
Explorer
Member since: ‎04-02-2012
‎06-05-2020
Community Statistics
Posts 6
Solutions 0
Karma Given 0
Karma Received 3
Member Since ‎04-02-2012
Activity Feed
View All

Re: best approach to define transforms with regula...

by in Splunk Search
‎04-04-2012 02:40 PM
‎04-04-2012 02:40 PM
This answer was helpful, thanks; but didn't really answer my question which I will do here: A precise but long description of PCRE regex is at http://www.pcre.org/pcre.txt. To understand regular expressions as transformation functions, the output of a regular expression is: - the input string - minus substrings matched by the regex - substituted with output from a FORMAT argument, and substrings 'captured' in the regex referenced either with $n or the names of capture subgroups. The tool at http://gskinner.com/RegExr/ and the doc above helped me figure this out. I hope I'm right! ... View more

best approach to define transforms with regular ex...

by in Splunk Search
‎04-04-2012 10:31 AM
3 Karma
‎04-04-2012 10:31 AM
3 Karma
Hi, I would appreciate some orientation on the best way to use regular expressions to define transforms. I guess my basic confusion is that regular expressions are usually defined as recognizers, thus F(str)->(true, false) if there is a match or not. However, to define transforms we are using regular expressions as transformational functions, e.g. F(str)->(another string). I have come across several possible approaches as to how to use regexes as transformational functions: -- in the Search manual, the rex command has a "sed" mode that uses special Perl syntax to transform strings. -- regular-expressions.info describes features such as "backreferences" and "lookarounds" which seem to optionally "capture" or "keep" values ... the language suggests functional uses but unfortunately the writing is not precise. -- the Splunk web interface and examples in the manuals seem to use features from Perl Compatible Regular Expressions (e.g. (?[FIELDNAME>) to extract substrings. What approach do you prefer? I am happy to learn another grammar, but would prefer to learn one in particular! Thanks for your help! Peter ... View more

how to load an edited props.conf?

by in Splunk Search
‎04-02-2012 02:01 PM
‎04-02-2012 02:01 PM
Hi, I'm just starting to work with Splunk. I am trying to change the definition of events in an input file by editing the props.conf file in the etc/local directory. Unfortunately my edits are having no effect. I have tried: -- Adding "| extract reload=true" to the end of the active search operating on the input file -- Restarting Splunk with Manager/Restart from the web interface. One odd thing worth mentioning: when I first tried to save a modified props.conf file, I had to manually alter the Windows permissions to let myself write the file. So my question is, what is the normal development procedure for testing and updating changes to event definitions? Is there a setting somewhere else that I need to modify so manually edited changes take effect? To learn Splunk I installed it on my Windows laptop. I'm running the free version almost fresh out of the box at this point. Thanks for your help, Peter ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All