Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex help in transforms : key-value extraction and assigning to key

koshyk
Super Champion
‎07-10-2017 06:38 AM

I'm trying to match key-value pair within an SNMP trap message whereby the KEY and VALUE are present in two fields

# Data
var01_oid=1.3.6.1.4.1.123.5.5 var01_value=3 var02_oid=1.3.6.1.4.1.112.5.9 var02_value=2/9 var03_oid=1.3.6.1.4.1.345.5.3 var03_value=admin var04_oid=1.3.6.1.4.1.678.5.4 var04_value=10.0.2.48

SPL and regex101 works correctly

| rex var01_oid=(?<oid_>\S+)\svar01_value=(?<oid_val>\S+)

https://regex101.com/r/wV1qOZ/2

But when I put into transforms/props, it fetches only the 1st digit in the extraction (not the entire oid)

[my_transform]
REGEX=var01_oid=(\S+)\svar01_value=(\S+)
FORMAT = oid_$1::$2
# I've put oid_ so the key starts with alphabet, but output shows as  oid_1 = 3    (I was expecting oid_1.3.6.1.4.1.123.5.5 = 3)

Any chance, why splunk transforms.conf different from other systems?

Edit: it seems the question comes to if Splunk will allow "." dot in the fieldname !?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-10-2017 06:51 AM

Hi koshyk,
probably it's the same thing, but try using [^ ]+ instead \S+
Bye.
giuseppe

0 Karma
Reply

koshyk
Super Champion
‎07-10-2017 06:54 AM

tried, but same result 😞

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-10-2017 07:29 AM

I tried on Regex101 and runs (https://regex101.com/r/VwkPrG/1) with

var0\d_oid=(?<oid_>\S+)\svar0\d_value=(?<oid_val>\S+)

Bye.
Giuseppe

0 Karma
Reply

koshyk
Super Champion
‎07-10-2017 02:18 PM

hi cusello, as mentioned in my query it works in regex and in SPL. but NOT when you into splunk conf files

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-10-2017 06:49 AM

See if disabling CLEAN_KEYS will fix it.

CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it
extracts at search time.
"Key cleaning" is the practice of replacing any non-alphanumeric
characters (characters other than those falling between the a-z, A-Z, or
0-9 ranges) in field names with underscores, as well as the stripping of
leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field
names that include non-alphanumeric characters, or which begin with
underscores or 0-9 characters.
* Defaults to true.

0 Karma
Reply

koshyk
Super Champion
‎07-10-2017 06:53 AM

Default was true. So i tried changing to false and now the value becomes 

oid_$1

(which is just specified in the format)

0 Karma
Reply

DalJeanis
Legend
‎07-10-2017 06:48 AM

This has to be an issue with valid variable names. Normally, splunk replaces invalid characters with underscores.

In JSON extractions, splunk does go down levels, but 8 levels of .this.that seems a bit much.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...