Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field extraction fails to extract all fields

bryancock
New Member
‎06-19-2012 08:21 PM

Hi All

I'm hoping someone might have an insight into a problem I'm having extracting fields from some XML based event data -- essentially I can only extract the first of 2 potential fields; the second field fails to be extracted and made available in the search app.

Example of the data I'm indexing:


<metrics>
<metric>
<name>diskavailablespaceC</name>
<value>1</value>
</metric>
<metric>
<name>diskavailablespaceE</name>
<value>7</value>
</metric>
</metrics>

My config files:

props.conf

[Power_test1]
TRANSFORMS-disk_available = disk_available

transforms.conf

[disk_available]
REGEX = (?i)<name>diskavailablespace(\w)</name>\s*?<value>(\d)</value>
FORMAT = $1::$2
WRITE_META = true

Some observations:

  • My expectation is that 2 fields should be extracted: C = 1 and E = 7.
  • Using the above, only a single field name 'C' is extracted from my indexed event data with value 1.
  • If I swap the order of the <metric> tags around, I extract a single field 'E' with value 7, suggesting to me that the regex is either failing or not being applied beyond the first match (??).
  • My regular expression, when tested in an external tool, seems to check out OK as it produces 2 matches of (2) groups --> one match for content of each <metric> tag.
  • I've added REPEAT_MATCH = true attribute with no change in behaviour.

I would appreciate any suggestions as to what may be going on, or what I might do to achieve the expected field extraction.

Many Thanks, B

Tags (1)
0 Karma
Reply

Ayn
Legend
‎06-20-2012 12:28 AM

Two things:

  1. You really shouldn't be using index-time extractions (TRANSFORMS) unless you really know what you're doing and have a good reason for it. Search-time extractions give better performance and flexibility.
  2. Only one value will be extracted because this is default behaviour when encountering more than one value for a field in an event. This behaviour can be toggled using the MV_ADD directive in transforms.conf. From the docs:

``

MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which already exists.
* If set to true, the extractor makes the field a multivalued field and appends the 
* newly found value, otherwise the newly found value is discarded.
* Defaults to false
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...