Using the docs here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Propsconf, specifically this section:
* Use '<regex> in <src_field>' to match the regex against the values of a
specific field. Otherwise it just matches against _raw (all raw event
data).
I came up with this:
EXTRACT-metric_parts = : (<metric type=".*?" name=")?(?<metric_path>.*?):(?<metric_name>.*?)[="]( value=")?(?<value>.*?)[" ]
EXTRACT-test = (?<metric_test>.*) in metric_path
All the field extractions in metric_parts work fine, but metric_test doesn't appear (it should be a duplicate of metric_path, according to my understanding of the readme).
Is there a limitation I'm missing here? Can src_field only be one of the automatic fields like source?
The extractions in the question are actually correct, but it seems a full refresh isn't enough to pull in the updated props.conf (I have no idea why).
Sticking | extract reload=true
on the end of my search revealed the new fields.
Actually scratch that. The original config started working for me, which I put down to the reload=true, but if I then add a third line extracting a field from within metric_test it still doesn't appear, whereas if I add it based on _raw it does.
I wonder if something is required to make Splunk aware that it can use metric_test as the source field.
It appears that you need it named twice so you can use fieldalias
for that:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields
Switch from Extract
to Report
in props.conf:
REPORT-ArbitraryButUniqueStringHere = metric_parts, test
Then in transforms.conf this:
[metric_parts]
REGEX = (<metric type=".*?" name=")?(?<metric_path>.*?):(?<metric_name>.*?)[="]( value=")?(?<value>.*?)[" ]
[test]
SOURCE_KEY = metric_path
REGEX = (?<metric_test>.*)
What's the reason it has to be done that way? The docs suggest it's doable in extract.
Evert EXTRACT
happen simultaneously, as does every SEDCMD
and many other things, but REPORT
and TRANSFORMS
can be serialized.
Though the documentation doesn't state this, I wonder if only works for indexed fields. Try setting it to source
and see if that gives any results.
If that's the issue, you can use a transform and make use of the SOURCE_KEY
directive instead to accomplish what you want.
Thanks for the answers guys. Turns out though what I have above works, once you reload the extracts with | extract reload=true
. Added as an answer.