Hi and thank you,

I got the first part of this in my props.conf and I modified it a little and it works perfectly...

\[[^\]]+\]\s+\w*\s+\(\d+\)(?\S+?)\(\d+\)$

I am unsure on how and where to place the remainder of this (I am assuming it goes into transforms.conf?):

s/(\(\d+\))/./g

Please help me finish this up and thank you again...

Hi,

Could you post your regex again but using the code button above (the one with 1s and 0s)? Otherwise special characters will be removed.

With regards to your question about props and transforms, see the following links on how to use both files for advanced field extraction.

http://docs.splunk.com/Documentation/Splunk/6.4.0/Knowledge/Createandmaintainsearch-timefieldextract...

https://answers.splunk.com/answers/132965/using-transforms-to-replace-raw-data-vs-sedcmd.html

https://answers.splunk.com/answers/210096/how-to-configure-sedcmd-in-propsconf.html

https://answers.splunk.com/answers/119/what-is-role-of-transforms-conf-vs-props-conf-for-field-extra...

Hope that helps.

EXTRACT-url = \[[^\]]+\]\s+\w*\s+\(\d+\)(?<url>\S+?)\(\d+\)$

and my url comes out as

biggersearch(3)ent(4)john(5)local

I am having difficulty getting it to be

biggersearch.ent.john.local

Just unsure as to how to finish it up via transforms.conf

Many thanks and I apologize for being confused on this subject

If you're already extracting that in props, maybe just finish up there with an eval, something like this?

EVAL-url = replace(url,"\(\d+\)",".")

The eval should be processed after the extract.

Works like a charm! Thanks to you both for helping me put this all together.