- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Re: Extraction in props.conf not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extraction in props.conf not working
I have following inputs.conf
[script://$SPLUNK_HOME/etc/apps/mck-perflog-aix/bin/lsvgdetails.sh]
index = mck-perflog
sourcetype = lsvg_detail
interval = 60
Script returns output as:-
rootvg,64,559,199,360
I am using following in props.conf
[lsvg_detail]
EXTRACT-common = (?<vg_name>[^\,]+),(?<pp_size>[^\,]+),(?<total_pp>[^\,]+),(?<free_pp>[^\,]+),(<used_pp>[^\,]+)
but it is not extracting field, I do not have any transforms.conf
Can you please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any reason why you aren't using delimiter based extractions? I think that would be simpler in your case.
That said, the bug seems to be in your regex. Try this:
EXTRACT-common = ^(?<vg_name>[^\,]+),(?<pp_size>[^\,]+),(?<total_pp>[^\,]+),(?<free_pp>[^\,]+),(?<used_pp>[^\,]+)
You were missing a "?" at the end (used_pp). I also added a leading "^" which will force your regex to start at the beginning of the line; which is better than letting the regex engine guess.
I didn't change this, but you should note that your entire regex will fail to match if any of the fields you have defined are missing. That is [^\,]+ vs [^\,]*. You may or may not want this. Also, you don't need the backslash before your commas.
To use a delimiter based extraction, you can do the following:
props.conf:
[lsvg_detail]
SHOULD_LINEMERGE = False
DATETIME_CONFIG = CURRENT
REPORT-fields = lsvg_detail-fields
transforms.conf:
[lsvg_detail-fields]
DELIMS = ","
FIELDS = "vg_name", "pp_size", "total_pp", "free_pp", "used_pp"
In my option this is much simpler to understand and maintain in the future; and it may even be slightly faster than the regex approach (not that you're likely to notice the difference.) So unless you have a complex field extraction situation (i.e optional columns or very weird quoting logic) the I recommend sticking to the delimiter based approach. (And that's coming from someone who really enjoys writing and tweaking regular expressions.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your problem is probably that you don't a timestamp in your event. Splunk breaks by default after a timestamp. You don't want to change LINE_BREAKER in this case (or hardly ever), you simply want to add SHOULD_LINEMERGE = False in props. (I've updated my example above to reflect this.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using multiple unix echo to display text i.e
echo "splunkdvg,128,399,6,393"
echo "appvg,128,478,357,121"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi it gives me output like this
splunkdvg,128,399,6,393
appvg,128,478,357,121
rootvg,64,559,199,360
but when I use above format it adds VG name to used_pp, I think I need to use LINE_BREAKER but do not know what should be value of line breaker
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
