Can you extract from a field that was extracted in...

sillingworth · ‎06-01-2017

Using the docs here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Propsconf, specifically this section:

* Use '<regex> in <src_field>' to match the regex against the values of a
  specific field.  Otherwise it just matches against _raw (all raw event
  data).

I came up with this:

EXTRACT-metric_parts = : (<metric type=".*?" name=")?(?<metric_path>.*?):(?<metric_name>.*?)[="]( value=")?(?<value>.*?)[" ]
EXTRACT-test = (?<metric_test>.*) in metric_path

All the field extractions in metric_parts work fine, but metric_test doesn't appear (it should be a duplicate of metric_path, according to my understanding of the readme).

Is there a limitation I'm missing here? Can src_field only be one of the automatic fields like source?

sillingworth · ‎06-02-2017

The extractions in the question are actually correct, but it seems a full refresh isn't enough to pull in the updated props.conf (I have no idea why).

Sticking | extract reload=true on the end of my search revealed the new fields.

sillingworth · ‎06-02-2017

Actually scratch that. The original config started working for me, which I put down to the reload=true, but if I then add a third line extracting a field from within metric_test it still doesn't appear, whereas if I add it based on _raw it does.

I wonder if something is required to make Splunk aware that it can use metric_test as the source field.

woodcock · ‎06-01-2017

It appears that you need it named twice so you can use fieldalias for that:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields

woodcock · ‎06-01-2017

Switch from Extract to Report in props.conf:

REPORT-ArbitraryButUniqueStringHere = metric_parts, test

Then in transforms.conf this:

[metric_parts]
REGEX = (<metric type=".*?" name=")?(?<metric_path>.*?):(?<metric_name>.*?)[="]( value=")?(?<value>.*?)[" ]
[test]
SOURCE_KEY = metric_path
REGEX = (?<metric_test>.*)

sillingworth · ‎06-05-2017

What's the reason it has to be done that way? The docs suggest it's doable in extract.

woodcock · ‎06-05-2017

Evert EXTRACT happen simultaneously, as does every SEDCMD and many other things, but REPORT and TRANSFORMS can be serialized.

micahkemp · ‎06-01-2017

Though the documentation doesn't state this, I wonder if only works for indexed fields. Try setting it to source and see if that gives any results.

If that's the issue, you can use a transform and make use of the SOURCE_KEY directive instead to accomplish what you want.

sillingworth · ‎06-02-2017

Thanks for the answers guys. Turns out though what I have above works, once you reload the extracts with | extract reload=true. Added as an answer.

Can you extract from a field that was extracted in the same stanza?

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...