I am able to successfully extract the field at search time from the "host" field using rex with the following:
source="XXX" | rex field=host s(?P<storeNo>\d\d\d)store
When I try to add this using the Interactive Field Extractor and test it, it does not work. When I run a test, I can see that it adds quotations. The search below with quotes does not work.
source="XXX" | rex "field=host s(?P<storeNo>\d\d\d)store"
It looks like this in the props.conf file:
EXTRACT-storeNo = field=host s(?P<storeNo>\d\d\d)store
How do I make this a persistent field?
You should a few sample events containing the string you want to extract.
The rex
statement should have the starting double quote after the field=fieldname
specification. You seem to have noted that your config didn't work.
Probably the props.conf config should be;
EXTRACT-blah = \ss(?<storeNo>\d\d\d)store\s in host
From the docs regarding props.conf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
EXTRACT-<name> = [<regex>|<regex> in <src_field>]
* Used to create extracted fields (search-time field extractions) that do not reference
transforms.conf stanzas.
* Performs a regex-based field extraction from the value of the source field.
* The <regex> is required to have named capturing groups. When the <regex> matches, the named
capturing groups and their values are added to the event.
* Use '<regex> in <src_field>' to match the regex against the values of a specific field.
Otherwise it just matches against _raw (all raw event data).
* NOTE: <src_field> can only contain alphanumeric characters (a-z, A-Z, and 0-9).
* If your regex needs to end with 'in <string>' where <string> is *not* a field name, change
the regex to end with '[i]n <string>' to ensure that Splunk doesn't try to match <string>
to a field name.
/K
You should a few sample events containing the string you want to extract.
The rex
statement should have the starting double quote after the field=fieldname
specification. You seem to have noted that your config didn't work.
Probably the props.conf config should be;
EXTRACT-blah = \ss(?<storeNo>\d\d\d)store\s in host
From the docs regarding props.conf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
EXTRACT-<name> = [<regex>|<regex> in <src_field>]
* Used to create extracted fields (search-time field extractions) that do not reference
transforms.conf stanzas.
* Performs a regex-based field extraction from the value of the source field.
* The <regex> is required to have named capturing groups. When the <regex> matches, the named
capturing groups and their values are added to the event.
* Use '<regex> in <src_field>' to match the regex against the values of a specific field.
Otherwise it just matches against _raw (all raw event data).
* NOTE: <src_field> can only contain alphanumeric characters (a-z, A-Z, and 0-9).
* If your regex needs to end with 'in <string>' where <string> is *not* a field name, change
the regex to end with '[i]n <string>' to ensure that Splunk doesn't try to match <string>
to a field name.
/K
Thank you. Replacing 'field=host' to 'in host' fixed the issue.