Splunk Search

How to tell which transform applied to which event

Alan_Bradley
Path Finder

Is there a way to tell if a regex has been applied to an event? I'm doing field extractions and want a way to confirm the field extractions applied to all the correct events. I suppose I could do this validation outside of Splunk using grep | linecount and cross checking with the event count in Splunk. It would be cool though if I could use Splunk though.

1 Solution

matt
Splunk Employee
Splunk Employee

ivan_mirosav
Explorer

Would someone provide an accurate answer to this question?

0 Karma

woodcock
Esteemed Legend

It is not possible.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

grep would be a bad choice as its regular expressions are quite different from PCRE, which is what Splunk uses.

0 Karma

matt
Splunk Employee
Splunk Employee

The extract command should do the trick. Reference: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Extract

woodcock
Esteemed Legend

I do not understand this answer at all. The extract command has nothing to do with this.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi woodcock,

that is not correct, you can call specific transform stanzas using the extract command:

<extractor-name>
Syntax: <string>
Description: A stanza in the transforms.conf file. This is used when the props.conf file does not explicitly cause an extraction for this source, sourcetype, or host.

So by using extract this part of the question:

I'm doing field extractions and want a way to confirm the field extractions applied to all the correct events.

was answered correctly.

But beside this, there is not really another way to get something like this Is there a way to tell if a regex has been applied to an event?

Hope that makes sense ...

cheers, MuS

0 Karma

woodcock
Esteemed Legend

I still do not see what you are saying. All extract does is execute a specific transform which in no way allows for any backtracking, which is what this question is about.

0 Karma

MuS
SplunkTrust
SplunkTrust

yep, exactly what I said 😉

You can use extract to test, validate if the transforms stanza works with search results.
But out of the box you will get no information, backtracking what transforms was executed against the events.

The question in my eyes is misleading because it asks two different things in one post:

  1. Is there a way to tell if a regex has been applied to an event?
  2. I'm doing field extractions and want a way to confirm the field extractions applied to all the correct events

for 2. the answer is extract.

One can argue that it actually did not answer the first question and for arguments sake you might get something from running Splunk in debug mode or increasing the TransformsExtractionHandler log channel. But I never really tried, nor checked that.

cheers, MuS

0 Karma

woodcock
Esteemed Legend

And only the OP might care. 100% of everyone else who ends up here from a search engine is looking for the answer that is NOT here.

0 Karma

ivan_mirosav
Explorer

You're right about this

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...