Splunk Search

REGEX/Props.conf - Extracting the same field from multiple places in the same sourcetype?

masonmorales
Influencer

I have one sourcetype that has a common field, but it's located at different places in the event depending on the message type. I've defined regex and tested it successfully for the three messages types. However, when I try to add the three different regex's to props.conf with the same field name, only the first one gets processed. How can I define multiple regex patterns to extract the same field name in the same source type?

The field that I am trying to extract is an aircraft tail number: N999XY in the examples below.

Message Type #1

Nov 20 20:54:33 host.mydomain.net ACCT_INTERIM,N999XY,99.99.99.99,N999XY_20141120150929,AABBCCDDEEFF,99.99.99.99,1A6F9EB7-B4EF-46CD-BCA6-024DC4360C5D,HOTSPOT_6,12345678,1234567,

Regex for Type #1

(ACCT_INTERIM|ACCT_START|ACCT_STOP),(?P[^,]+),

Message Type #2

Nov 20 20:34:44 host.mydomain.net ACCESS-ACCEPT,0,99.99.99.99,N999XY_20141120185555,AABBCCDDEEFF,HOTSPOT_6,

Regex for Type #2

ACCESS-ACCEPT,[^,]+,[^,]+,(?P[^_]+)_

Message Type #3

Nov 20 20:40:49 host.mydomain.net DHCP_REQUEST,123456789,AABBCCDDEEFF,99.99.99.99,12345678,AA:BB:CC:DD:EE:FF@UNASSIGNED,N999XY,

Regex for Type #3

DHCP_REQUEST ,(?P[^,]+),$

Props.conf (/splunk/etc/system/local/props.conf)

[nms_servers_user]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = False
KV_MODE = None
TZ=GMT
EXTRACT-host_fqdn = \w+\s+\d+\s+\d+:\d+:\d+\s+(?P[^\s]+)
EXTRACT-msgtype = \.\w{3}\s+(?P[^,]+),
EXTRACT-tail = (ACCT_INTERIM|ACCT_START|ACCT_STOP),(?P[^,]+),
EXTRACT-tail = ACCESS-ACCEPT,[^,]+,[^,]+,(?P[^_]+)_
EXTRACT-tail = DHCP_REQUEST ,(?P[^,]+),$

Thanks in advance for your help!

1 Solution

Yorokobi
SplunkTrust
SplunkTrust

Use as many EXTRACT-name statements as you need -- keep in mind, the name should be unique -- and use the same extraction you use with | rex (sans the "")

Ex:

EXTRACT-tail1 = ACCT_[INTERIM|START|STOP],(?<tailnum>[^,]+),
EXTRACT-tail2 = DHCP_REQUEST,(?<tailnum>[^,]+),$

View solution in original post

Yorokobi
SplunkTrust
SplunkTrust

Use as many EXTRACT-name statements as you need -- keep in mind, the name should be unique -- and use the same extraction you use with | rex (sans the "")

Ex:

EXTRACT-tail1 = ACCT_[INTERIM|START|STOP],(?<tailnum>[^,]+),
EXTRACT-tail2 = DHCP_REQUEST,(?<tailnum>[^,]+),$

masonmorales
Influencer

That worked perfectly. Thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...