So i'm trying to extract and ip address from a multi-value field
and my transforms stanza is something along these lines
transforms.conf
[ip]
REGEX = ((?:(?:\d{1,3}.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z.]+)?(?:::)?)|(?:::[\dA-Fa-f.]{1,15})|(?:::)]*)
FORMAT = IP::$1
props.conf
[host::hostname]
TIME_FORMAT = %a %b %d %H:%M:%S %T %Y
KV_MODE = none
SHOULD_LINEMERGE = false
REPORT-ip = ip
So this works, however it also extracts the source, sourcetype and host values in my new ip field.
So i have random fields that look like IP= source::source|host::host|sourcetype.
I could really use some help in trying to figure out why these extra values are being extracted.
Are you on a single server instance?
What if you try using only props? Something like below in props.conf in place of REPORT...
EXTRACT-ip = (?<ip>(?:(?:\d{1,3}.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z.]+)?(?:::)?)|(?:::[\dA-Fa-f.]{1,15})|(?:::)]*)
Thank you, i tried this and I'm still getting the same results. Although I've noticed that my issue only occurs when I run a search with data from 2 sources.
One of the sources is the one i want my extractions to match against
and the other source shouldn't be getting matched
My props stanza should only be matching hosts like this:
[host::(?-i)hostname1*]
but it's also matching and performing extractions(incorrectly) against the hosts that don't match my stanza
Do you have any other props defined that are overriding / adding to the mix?
./splunk btool props list --debug
It's very possible. I just ran the debug command you suggested, and I've got a couple thousand lines to sift through
Can you provide a sample event?