Solved: Re: change data upon indexing Admin-0, Admin-1, Ad...

mhornste · ‎08-21-2019

Hi,

I'm reading data from a JMeter test. One field is either named Admin or Admin-0, Admin-1 or Admin-2. The field is named ACL

I want Splunk to index this only as Admin. As written above, there is a value Admin which should be kept but the others should be renamed to Admin (instead of Admin-0 etc.).

My props.conf already looks like this

[mySourceType]
REPORT-jmeter = REPORT-jmeter
EXTRACT-full = ^(?<timeStamp>[^,]*),(?<elapsed>[^,]*),**"(?<label>[^,]*),(?<ACL>[^"]*)"**,(?<responseCode>[^,]*),(?<responseMessage>[^,]*),(?:(?<targetHost>[^\s]*)\s(?<JMeterThread>[^,]*))?,(?<dataType>[^,]*),(?<success>[^,]*),(?<failureMessage>[^,]*),(?<bytes>[^,]*),(?<sentBytes>[^,]*),(?<grpThreads>[^,]*),(?<allThreads>[^,]*),(?<URL>[^,]*),(?<Latency>[^,]*),(?<IdleTime>[^,]*),(?<Connect>[^$]*)

Example data:

2019/08/21 14:52:14.222,2003**,"Upload Document TXT, User-0"**,302,OK,hostname 1-1,text,true,,1234,0,1,1,https://FQDN,2003,0,0

So the above props.conf already splits two strings into two fields.

May I ask someone to help me to achieve this?

Thanks in advance!

somesoni2 · ‎08-21-2019

Try this

EXTRACT-full = ^(?<timeStamp>[^,]*),(?<elapsed>[^,]*),"(?<label>[^,]*),(?<ACL>[^-"]*)(-\d+)*",(?<responseCode>[^,]*),(?<responseMessage>[^,]*),(?:(?<targetHost>[^\s]*)\s(?<JMeterThread>[^,]*))?,(?<dataType>[^,]*),(?<success>[^,]*),(?<failureMessage>[^,]*),(?<bytes>[^,]*),(?<sentBytes>[^,]*),(?<grpThreads>[^,]*),(?<allThreads>[^,]*),(?<URL>[^,]*),(?<Latency>[^,]*),(?<IdleTime>[^,]*),(?<Connect>[^$]*)

View solution in original post

mhornste · ‎08-22-2019

That worked, thanks so much!

mhornste · ‎08-21-2019

Hi,

thanks, that worked! There is one small issue left: the label field sometimes still has the ACL (Admin/ User) left. See result of the new indexed data below:

Screenshot result

mhornste · ‎08-21-2019

https://imgur.com/a/pktkt3s

somesoni2 · ‎08-21-2019

Try this

EXTRACT-full = ^(?<timeStamp>[^,]*),(?<elapsed>[^,]*),"(?<label>[^,]+),(?<ACL>[^-"]+)(-\d*)*",(?<responseCode>[^,]*),(?<responseMessage>[^,]*),(?:(?<targetHost>[^\s]*)\s(?<JMeterThread>[^,]*))?,(?<dataType>[^,]*),(?<success>[^,]*),(?<failureMessage>[^,]*),(?<bytes>[^,]*),(?<sentBytes>[^,]*),(?<grpThreads>[^,]*),(?<allThreads>[^,]*),(?<URL>[^,]*),(?<Latency>[^,]*),(?<IdleTime>[^,]*),(?<Connect>[^$]*)

somesoni2 · ‎08-21-2019

Try this

EXTRACT-full = ^(?<timeStamp>[^,]*),(?<elapsed>[^,]*),"(?<label>[^,]*),(?<ACL>[^-"]*)(-\d+)*",(?<responseCode>[^,]*),(?<responseMessage>[^,]*),(?:(?<targetHost>[^\s]*)\s(?<JMeterThread>[^,]*))?,(?<dataType>[^,]*),(?<success>[^,]*),(?<failureMessage>[^,]*),(?<bytes>[^,]*),(?<sentBytes>[^,]*),(?<grpThreads>[^,]*),(?<allThreads>[^,]*),(?<URL>[^,]*),(?<Latency>[^,]*),(?<IdleTime>[^,]*),(?<Connect>[^$]*)

mhornste · ‎08-21-2019

marking the interesting lines bold did not work

"(?[^,]),(?[^"])"

the above regex splits the two values already into two fields. ACL should have only Admin or User (without -0 etc.)

change data upon indexing Admin-0, Admin-1, Admin-2 --> Admin

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...