Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract fields at search time through props.conf file?

riqbal
Communicator
‎08-13-2018 03:55 AM

I have w3c format logs. I want to create the fiels through props.conf.
I want to use EXTRACT- xxx= for search time field extraction.
below is my sample event.

2014-01-02 22:12:37 5209 1x3.xxx2.xx.xxx 200 TCP_MISS 209383 546 GET http daxxx.clxxxnt.net 80 /photos/show_resized/137406/12/4/41.jpg - - - - daxxx.clxxxnt.net image/jpeg;%20charset=utf-8 http://daxxx.clxxxnt.net?&utm_source=email&utm_medium=sf&utm_term=Second%20Email%20SF%201/2&utm_cont... "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" OBSERVED "Content Servers" - 1x3.xx2.xx.xxx 5x.xxx.1xxx.2xxx 52
006

#Fields: date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username cs-auth-group s-hierarchy s-supplier-name rs(Content-Type) cs(Referer) cs(User-Agent) sc-filter-result cs-categories x-virus-id s-ip r-supplier-ip c-port
Reply

sudosplunk
Motivator
‎08-13-2018 12:03 PM

Hi there,

Since you want to extract fields based on the order the values appear, I would recommend using REPORT instead of EXTRACT. Give this a try,

props.conf:

[sourcetype]
REPORT-w3c_extractions = name_for_extractions

transforms.conf:

[name_for_extractions]
REGEX = (?<date>\d{4}\-\d{1,2}\-\d{1,2})\s(?<time>\d{1,2}\:\d{1,2}\:\d{1,2})\s(?<time_taken>\d+)\s(?<c_ip>[\d|\.]{7,15})\s(?<sc_status>\d{1,3})\s(?<s_action>[\w|\_]*)\s(?<sc_bytes>\d+)\s(?<cs_bytes>\d+)\s(?<cs_method>\w*)\s(?<cs_uri_scheme>[\-|\w]*)\s(?<cs_host>\S*)\s(?<cs_uri_port>\d{1,6})\s(?<cs_uri_path>\S*)\s(?<cs_uri_query>\S*)\s(?<cs_username>\S*)\s(?<cs_auth_group>[^\s]*)\s(?<s_hierarchy>\S*)\s(?<s_supplier_name>\S*)\s(?<rs_content_type>\S*)\s(?<cs_referrer>\S*)\s\"(?<cs_user_agent>.*?)\"\s(?<sc_filter_result>\w*?)\s(?<cs_categories>.*?)\"\s(?<x_virus_id>\S*)\s(?<s_ip>[\d|\.]{7,15})\s(?<r_supplier_ip>[\d|\.]{7,15})\s(?<c_port>\d{1,6})

Regex tested here.

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...