Splunk Search

Possible bug with Field Extraction, regex works fine with search but not with Field extraction

somesoni2
SplunkTrust
SplunkTrust

I have an index where I have indexed a csv file with 7 fields. Following is the format of csv file. (header row)

timestamp,field1,field2,field3,field4,field5,field6

Since the fields were not automatically extracted, I 'Extract field' options of Splunk to do the same. Exception for field5, all other field extractions are working fine. For field5, I validated the regular expression generated by Splunk and it works perfectly with search (using rex command), but not with Field extraction:

EXTRACT-Field5=(?i)^(?:[^,]*,){5}(?P<Field5>[^,]+) 

Anyone has any idea if this is a possible bug with Field Extraction or any better way to extract fields from csv file. Splunk version is 5.0.5.

0 Karma
1 Solution

kristian_kolb
Ultra Champion

The best way would probably be to use a REPORT with DELIMS and FIELDS, instead of an EXTRACT;

props.conf

[your_sourcetype]
REPORT-blah = extract_csv_blah

transforms.conf

[extract_csv_blah]
DELIMS = ","
FIELDS = fieldname1, fieldname2, fieldname3, fieldname3, fieldname4, fieldname5, fieldname6, fieldname7

Read more in the docs for transforms.conf;

http://docs.splunk.com/Documentation/Splunk/5.0.1/Admin/Transformsconf

Hope this helps,

K

View solution in original post

kristian_kolb
Ultra Champion

The best way would probably be to use a REPORT with DELIMS and FIELDS, instead of an EXTRACT;

props.conf

[your_sourcetype]
REPORT-blah = extract_csv_blah

transforms.conf

[extract_csv_blah]
DELIMS = ","
FIELDS = fieldname1, fieldname2, fieldname3, fieldname3, fieldname4, fieldname5, fieldname6, fieldname7

Read more in the docs for transforms.conf;

http://docs.splunk.com/Documentation/Splunk/5.0.1/Admin/Transformsconf

Hope this helps,

K

somesoni2
SplunkTrust
SplunkTrust

This seems to solve the issue. Thanks Kristian...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...