Solved: Re: How to make a rex field extraction permanent f...

mlb19 · ‎09-01-2015

Hi Splunkers,

I need to extract the name of the computer generating the log from the file name. I found a way to do so with rex:

index=* | rex field=source ".(?<Chassis>C\d+)"

That works as it should, but the field is only present for the search creating the field.
So I thought I need to extract the field in my props.conf in order to make them permanent.

What I tried and what I found here on Splunk Answers did not work. I guess it has something to do with extracting a field from the source field.

Here is what I tried:

1)

[RT-VPM]
EXTRACT-Chassis = C\d+ in source

2)

[RT-VPM]
EXTRACT-Chassis = .(?<Chassis>C\d+) in source

I also tried quite a few variations on 1 and 2, but I did not document all of them.

I hope somebody is able to help me

Cheers

dturnbull_splun · ‎09-01-2015

You need to use a transform where you have a different source field:

# props.conf
[RT-VPM]
REPORT-chassis = chassis

# transforms.conf
[chassis]
SOURCE_KEY=source
REGEX = .(?<Chassis>C\d+)

View solution in original post

Muwafi · ‎03-05-2018

could this work on lookup output fields also ?? and what will be the solution if not?

dturnbull_splun · ‎09-01-2015

You need to use a transform where you have a different source field:

# props.conf
[RT-VPM]
REPORT-chassis = chassis

# transforms.conf
[chassis]
SOURCE_KEY=source
REGEX = .(?<Chassis>C\d+)

mlb19 · ‎09-01-2015

thank you that worked!

How to make a rex field extraction permanent for a field extraction from source?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases