How to add regex to transforms.conf

chamil3001 · ‎03-28-2013

Hi,
I have some data like this.

D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001
D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001
D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001
D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001
D HE122013032521002200GTB27000780000100108 00000000030008110000081100000 640001

I have to extract the fields from these. but the problem is IFE cannot extract as i want to.
cuz the fields are like this. have to extract them one by one. I don't know that much REGEX.

D
HE12
20130325
21002200
GTB27000
etc
etc

Please help.
I think i have to manually edit tranforms.conf and props.conf to do the translations right?

Thanks in advance

Chamil

kristian_kolb · ‎03-28-2013

If your log is really like that, with fixed-length fields concatenated together (mostly) without whitespace between them, you can do a props.conf only extraction, like so;

[your_sourctype]
EXTRACT-blah = (?<field_name1>\w{1})\s(?<field_name2>\w{4})(?<field_name3>\d{6})(?<field_name4>\d{6})(?<field_name5>\w{8})

etc etc

field_name1 (rename it as you please) would contain the first character \w{1}
then the space/tab is skipped \s
field_name2 would contain the next 4 characters \w{4}
field_name3 would contain the next 6 digits \d{6}
etc etc

Hope this helps,

Kristian

How to add regex to transforms.conf

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!