Solved: How to write regex to extract and index a field en...

sadkha · ‎09-29-2014

I have a set of logs which wasn't automatically parsed when indexed into Splunk.

I would like to extract a field from the logs, however the Interactive Field Extractor isn't picking up on the pattern. I would like to extract the second group of quotations after the phrase "SAML 2.0" (including the quotes) come up in the logs:

...."SAML 2.0" - - - "11.11.111.1111" "www.yahoo.com"

That's essentially how all of the logs look like. I was wondering how I could tell splunk to only extract the 2nd group of quotes after it sees SAML 2.0?

kml_uvce · ‎09-29-2014

In transforms.conf add:

[stanzaname]
REGEX =  .*"SAML 2.0".*\"(?.*)\".*
FORMAT = fieldname::"$1"
WRITE_META = true

props.conf
Add the following lines to props.conf:

[testlog]
TRANSFORMS-netscreen = stanzaname

fields.conf
Add the following lines to fields.conf:

[fieldname]
INDEXED=true

Restart Splunk for your configu

View solution in original post

kml_uvce · ‎09-29-2014

In transforms.conf add:

[stanzaname]
REGEX =  .*"SAML 2.0".*\"(?.*)\".*
FORMAT = fieldname::"$1"
WRITE_META = true

props.conf
Add the following lines to props.conf:

[testlog]
TRANSFORMS-netscreen = stanzaname

fields.conf
Add the following lines to fields.conf:

[fieldname]
INDEXED=true

Restart Splunk for your configu

How to write regex to extract and index a field enclosed in quotations after a known string?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!