Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me create the regex for an Index time field extraction?

MattibergB
Path Finder
‎02-21-2019 11:37 AM

Hi,

We are trying to create an index time field extraction. I tried following the docs, but I am making a mistake somewhere.

It is working as a search time extraction, but we are running into performance issues/would like to use tsats without a datamodel.

The log line is:

Feb 21 20:28:22 server-name %PARSER-5-TESTLOG_LOGGEDCMD: User:unknown user  logged command:!exec: enable

props:

[sourcetype]
TRANSFORMS-test = test

transforms:

[test]
REGEX = %(?\S+):\s(?[\S\s]+)
WRITE_META = true

Is anyone able to point me into the right direction?

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎02-21-2019 02:50 PM

Hi MattibergB,

You don't necessarily need to have names for the capturing groups 😉

Try this in your transforms.conf

[test]
REGEX = %(\S+):\s([\S\s]+)
FORMAT = $1::$2
WRITE_META = true

Put it on the parsing instance and restart Splunk.

Hope this helps ...

cheers, MuS

PS: don't forget to add fields.conf on your SH like @somesoni2 mentioned

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎02-21-2019 02:50 PM

Hi MattibergB,

You don't necessarily need to have names for the capturing groups 😉

Try this in your transforms.conf

[test]
REGEX = %(\S+):\s([\S\s]+)
FORMAT = $1::$2
WRITE_META = true

Put it on the parsing instance and restart Splunk.

Hope this helps ...

cheers, MuS

PS: don't forget to add fields.conf on your SH like @somesoni2 mentioned

0 Karma
Reply
Solved! Jump to solution

MattibergB
Path Finder
‎02-22-2019 03:25 AM

Thank you for pointing me in the right direction!

Matti

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-21-2019 11:44 AM

I hope you're following this documentation.
https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Configureindex-timefieldextraction#Define_ad...

So check these
1) ensure the regex is correct.
2) You need to have a name to the capturing group (name of the field). I don't see that in the config you posted in the question.
3) Add an entry in the fields.conf (see the documentation above).
4) Ensure that you're placing the config in correct Splunk server (heavy forwarder OR indexer whichever comes first on your data flow).

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...