I am trying to create a custom field using Field-Extraction and Field-Transformation pages of Manager. I am providing a simple regular expression for key value pair with =.
Following are the settings done in transformation pages of manager.
Regular expression : ^(\\s|[^\s=]+)+\s|=?$
Source Key : _raw
Format : first::$1,second::$2
And attached it to search app.
In Field extraction pages, i have attached my test.txt file to the above transformation.
But the result is not as expected and shows the same results.
test data:
Name=Nagesh
The result should be Name:Nagesh
If your test data contains
Name=Nagesh
Splunk will automatically extract a field called Name
which contains the the value Nagesh
. You need do nothing to configure that - unless you have assigned a sourcetype to this data which will prevent the automatic field extraction.
Field extraction does not change the existing data in anyway. Where did you expect to see "Name:Nagesh"? What is the sourcetype of the data?
Finally, I think that the syntax of your transformation entries is wrong.
In fact, you are wrong. Field extraction does not change the format of the data. It creates fields can be used in searches, reports and other commands.
If you really need to change the format of the data, be aware that this can only be done on inbound data as it is being parsed - and once the data is stored in the Splunk index, the format cannot be changed again. Here is how to do it using sed
:
http://docs.splunk.com/Documentation/Splunk/4.2beta/Data/Anonymizedatausingconfigurationfiles#Throug...
The above data is just a sample data, the actual data is much different, this i have used here for testing purpose of how custom field extraction works.
"Field extraction does not change the existing data in anyway. Where did you expect to see "Name:Nagesh"? What is the sourcetype of the data?"
what does the
Format : first::$1,second::$2 represent in transforms.
I expected the data to be transformed into the above format. Am i wrong here?
the sourcetype is
sourcetype=ini-too_small
My file name is "test.ini"
The above sourcetype is autogenerated by the splunk.