Re: Field extraction from an extracted field not w...

jklumpp_splunk · ‎01-22-2013

I have a string in my log file that consists of a list of URL query parameters which are automatically extracted to new fields, so source looks like...

graph?node=100021+101024&sort=product.review.avg_rating|desc&groupby=product.code&offset=0&nbins=8

From this automatic extractions produce new fields for each of the name-value pairs, so for example I end up with a new field node with a value of 100021+101024, the problem with this is that those values are a delimited list with a + delimiter. So I've added a stanza to transforms.conf to extract each value into a new field dim_val_id.

[dimvalid]

SOURCE_KEY = node

DELIMS = "+"

MV_ADD = true

FIELDS = "dim_val_id"

For some reason though I don't get a dim_val_id field unless I add | extract reload=t to my search query. If I remove the extract dim_val_id disappears. My theory is that the node hasn't been extracted yet when my transform runs and that is why I don't get a dim_val_id field. Does anyone know how to get around this or have another suggested approach?

As extra credit, this transform doesn't exactly work as I would like. Even-though I have specified MV_ADD = true I will only get the first value in my new field unless I list dim_val_id multiple times in the FIELDS list.

jcoates_splunk · ‎01-22-2013

in your first extraction, you can nest capture groups: =((\d+)\+(\d+))&

That presumes you're using a transform to get at the data in the first place instead of any sort of autokv or something.

/edited to fix silly formatting problems

// grumble, markdown languages

/// something about my lawn

Field extraction from an extracted field not working unless I pipe (|) to "extract reload=t"

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases