Solved: How to edit my props.conf to extract a field with ...

vganjare · ‎06-15-2015

HI,

I have a field which has a lot of leading zeros. Currently, this field is getting extracted as a string field. I want to extract this field as a numeric field. Following are the event details:

| ContactNumber | Age | Name  | Country |
| 0001234567    | 25  | Sunny | USA     |
| 0009854676    | 32  | Vinny | UK      |

I have used the following in props.conf for field extraction:

[MyCustomSource]
EXTRACT-CONTACT_NO = (?i)^(?:[^\t]*\t){0}(?P<CONTACT_NO >[^\t]+)

Can you please help?

Thanks!!

woodcock · ‎06-15-2015

Like this:

[MyCustomSource]
EXTRACT-CONTACT_NO = ^\s*\|\s*(?:0*)?(?<CONTACT_NO>\d+)

The main error that was going to cause it to NEVER work is the space in your capture name between the "NO" and the ">".

View solution in original post

stephanefotso · ‎06-15-2015

Hello! Try this and let me know what happen. If not working, please let me ge a sample of your raw data:

[MyCustomSource]
 EXTRACT-CONTACT_NO =^ [|\t0]+(?P<CONTACT_NO >\d+)\s+

Thanks

SGF

woodcock · ‎06-15-2015

Like this:

[MyCustomSource]
EXTRACT-CONTACT_NO = ^\s*\|\s*(?:0*)?(?<CONTACT_NO>\d+)

The main error that was going to cause it to NEVER work is the space in your capture name between the "NO" and the ">".

How to edit my props.conf to extract a field with leading zeros as a number instead of a string by default?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...