About wennebo1

wennebo1 · ‎06-24-2019

After gaining a better understanding of search-time and index-time extractions, I found out what the problem was. The transformations available for editing in Splunk Cloud can only be used for search-time extractions. From the page on field extractions: You cannot manage index-time field extractions in Splunk Web. And, from the page on transformations.conf: * At index time only, you can use FORMAT to create concatenated fields: * Example: FORMAT = ipaddress::$1.$2.$3.$4 So you will either need to use the method suggested by @DavidHourani, or submit a ticket to Splunk to request a new index-time field extraction. Not ideal, but this should clarify the problem if anyone else has the same issue.

wennebo1 · ‎06-24-2019

Hello David, That's a good idea, and might be an option. I would need to make sure I know all the different players in advance, and update if new ones are added, which could get a little annoying. Even so, I would still need to use a field transformation to allow each field to hold multiple values.

wennebo1 · ‎06-24-2019

I'm using Splunk Cloud, so I cannot edit the .conf files directly. I'm restricted to only the web interface. I did try putting double quotes around the captures, but it seems they are ignored. Player_"$1"_Score becomes Player_$1_Score . I tried reversing it too, just in case. "Player_"$1"_Score" also becomes Player_$1_Score .

wennebo1 · ‎06-24-2019

Unfortunately, I cannot use the field extractor for two reasons. First, because the resultant fields need to have multiple values per field. Second, because the field extractor cannot use event data in the field names. Neither of these can be done with the field extractor.

wennebo1 · ‎06-21-2019

We are trying to extract both fields and their names from events that have a variable number of elements. We have determined that using a field transformation is the best way to do this, in order to have multi-valued fields. The names of the fields will be built using the elements in the event. An example event: 2019-06-21 14:30 Total Points Player: Red Score: 17,Player: Blue Score: 8,Player: Green Score: 12,Player: Blue Score: 11,Player: Yellow Score: 7,Player: Yellow Score: 10 We would like to extract several fields that look like the this: Player_Red_Score: 17 Player_Blue_Score: 8 11 Player_Green_Score: 12 Player_Yellow_Score: 7 10 The field transformation regular expression is: (\w+) Score: (\d+) And its format is: Player_$1_Score::$2 But we end up with fields named Player_$1_Score . How can we define custom names for these fields by concatenating static text with an extracted field name? I see that this can be done as shown in the documentation here: https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Configureindex-timefieldextraction Any idea what might be going wrong?

wennebo1 · ‎06-03-2019

Your additional comment was what really helped me to understand. I was still a little unsure, as SSH could be the "app" authenticating into an a WordPress server, for example. Thank you!

wennebo1 · ‎06-03-2019

We are trying to incorporate many different sources into our Splunk instance under the CIM. What is supposed to go in the app field for the Authentication data model? Is this intended to be the application the user is logging into, or the back-end application the user is using to log in (ldap, shibboleth, etc.)?

Posts	7
Solutions	1
Karma Given	7
Karma Received	0
Member Since	‎06-03-2019

Online Status	Offline
Date Last Visited	‎04-14-2022 10:32 AM

Concatenating fields in a field transformation

Can someone clarify the intended use for the "app"...

Re: Concatenating fields in a field transformation

Re: Concatenating fields in a field transformation

Re: Concatenating fields in a field transformation

Re: Concatenating fields in a field transformation

Concatenating fields in a field transformation

Re: Can someone clarify the intended use for the "...

Can someone clarify the intended use for the "app"...

Join the Conversation