- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field Extractions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to configure a props/transforms and it is not working. it does not come up as an extra field that i can select on the web search.
Can you see anything wrong with this?
The path i am extracting from looks something like /app/ems/envs/U1_LN_DERIV_TMS/logs/trace.log
I want to pick up the directory name in the middle - U1_LN_DERIV_TMS.
I even tried changing my regex to (.*) to see if there was a problem with the regex (which i have tested in the splunk web and worked fine) and it still doesn't come through.
Have i missed something obvious? Have also tried it with and without the quotes around the REGEX
props.conf: [source::///app/ems/envs/uat/.../logs/trace.log] REPORT-ems = instanceName transforms.conf [instanceName] SOURCE_KEY = source REGEX=\/app\/ems\/envs\/uat\/([A-Z0-9_]*)\/logs\/trace.log FORMAT = emsinstance::$1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Too many slashes at the beginning of [source:///...]. The extra slashes are only used (rather unnecessarily anyway) in inputs.conf stanzas, not props.conf.
Also, you can test regexes at the CLI directly using the | rex search command:
... | rex field=source "/app/ems/envs/uat/(?<emsinstance>\w*)/logs/trace.log"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gkanapathy is right about your problem is. I just had a few thoughts that wouldn't fit in a comment.
Just so you know, you can use named capture groups, like (?<emsinstance>\w+) in your transforms.conf file just like you do using rex. When your using named groups, you don't need the FORMAT line anymore. I found that this approach makes it quicker to jump between interactive testing with rex and then copying the regex into my transforms.conf file.
In this case, you also have the option of using an EXTRACT entry in your props.conf file. I rather prefer this approach, since you can setup everything in one place, and you don't to come up with some arbitrary name transformer name. 😉
Here's an example in props.conf:
[source::/app/ems/envs/uat/*/logs/trace.log] EXTRACT-fields = [/\\]uat[/\\](?[\w_]+)[/\\]logs[/\\] in source
Notes: I use [/\\] because it will match both unix-style and dos-style paths (if that's a concern for you and you can use that in your source config entry too, although it looks ugly: [source::[/\\]app[/\\]ems[/\\]envs[/\\]uat[/\\]*[/\\]logs[/\\]trace.log]). You may also note that I'm not matching the whole path in the regex, which is because in this case, you really don't need to, your [source::...] stanza is doing that work for you already.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Too many slashes at the beginning of [source:///...]. The extra slashes are only used (rather unnecessarily anyway) in inputs.conf stanzas, not props.conf.
Also, you can test regexes at the CLI directly using the | rex search command:
... | rex field=source "/app/ems/envs/uat/(?<emsinstance>\w*)/logs/trace.log"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks I will try this - I have already been using rex to test my regex which is why i assumed it was probably a syntax issue rather than a regex issue!
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
