Splunk IT Service Intelligence

Regex concatenation in props & transforms

ialahdal
Path Finder

I am using regex to extract a field but I need 2 different regex.
so under transforms.conf I made 2 different regex but with the same field, under props I called them.

I seek to achieve 3 things,

1- mask data in uri if needed
2- concatenate fields if masked
3- extract uri

URIs come in 2 different forms
1- uri_path all letters with 1 field to extract: i.e /Core/Test/

2- uri_path_profile letters & numbers with 3 fields to extract i.e
*/Test/?id={NIN}&contactType={type}
*
where NIN is any 10 digit combination, and type is one out 3 possible strings

transforms.conf

#Field extraction for uri path
[uri_path]
REGEX = uri":"([\/A-Za-z]+)
FORMAT = uri::$1

[uri_path_profile]
REGEX = uri":"([\/A-Za-z]+)\?id=(\w+)&contactType=(\w+)
FORMAT = uri::$1?id=NIN&contactType=$3 NIN::$2 contact_type::$3

My end goal is to have both extracted regex into one field called uri but since the fields in the 2nd stanza is dynamic and will have a lot of entries i'd like them to all be made into one which would be
uri=/Test/?id=NIN&contactType=(group_3_value) so even if NIN has thousands of different records it will only show the 3 different strings at the end

is this doable?

Labels (1)
0 Karma
1 Solution

ialahdal
Path Finder

I solved this by using EVAL in props.conf

EVAL-url = if(isnull(contact_type),url,url . "/NIN/contactType/" . contact_type)

transforms.conf

[uri_path_1]
REGEX = uri":"(?<url>[\/A-Za-z]+)


[uri_path_2]
REGEX = uri":"(?<url>[\/A-Za-z]+)\?id=(?<NIN>\w+)&contactType=(?<contact_type>\w+)

View solution in original post

0 Karma

ialahdal
Path Finder

I solved this by using EVAL in props.conf

EVAL-url = if(isnull(contact_type),url,url . "/NIN/contactType/" . contact_type)

transforms.conf

[uri_path_1]
REGEX = uri":"(?<url>[\/A-Za-z]+)


[uri_path_2]
REGEX = uri":"(?<url>[\/A-Za-z]+)\?id=(?<NIN>\w+)&contactType=(?<contact_type>\w+)
0 Karma
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...