This rex statement works in search command: rex field=source "3......(?P
I would like to convert it into REGEX statement in transforms.conf file.
What should be the REGEX statement?
Thanks in advanced.
I'd also suggest this page. It's a nice, easy walkthrough of using transforms.conf and props.conf for field extractions.
Assuming this is a search time extraction, you simply need to identify the field to "look" at as SOURCE_KEY (if you omit that, the default SOURCE_KEY is _raw
The regex is fine as, is. Since you are extracting a field and not asking Splunk to produce the key value pair dynamically... you specify it in the regex as you've done... and then you can, for documentation, specify the format.
[procname]
SOURCE_KEY = source
REGEX = 3......(?P
FORMAT = procname::$1
Be sure to call the stanza, procname, in my example from a REPORT- directive in the props.conf
The transforms.conf spec here shows a slightly different example, where the SOURCE_KEY defaults to raw and the transform is actually renaming the KEY of a KEY value pair already in the data... but it's the same principal.
[netscreen-error-field]
REGEX = device_id=[w+](?
FORMAT = err_code::$1
Here is a complete walk through all sorts of search time extractions using props.conf and transforms.conf for reference.
Thanks. But Splunk doesn't pick it up. Here is what I have in props.conf and transforms.conf.
props.conf:
[source::/logs/dxserver/3*_query_*.log]
REPORT-queryLog = dsaname
transforms.conf:
[dsaname]
SOURCE_KEY = source
REGEX = 3......(?P
FORMAT = dsaname::$1
Example of the source field = "/logs/dxserver/3wtxq20corerly1_query_20140601.log". I expect the dsaname field equals to 'core' (without the qoute).
Any syntax or format errors?
Thanks.