Solved: How to configure props.conf for both of my search-...

skender27 · ‎02-02-2016

Hi,

I'd rather need to know how to put in .conf files both the following (search-time) extractions.
sql_where_clause is an existing field.
Should I put one by one in props.conf, or it is better to use transforms.conf?

Thanks,
Skender

 |  rex field=sql_where_clause  "ccti_class = (?P<class>.*?) AND ccti_category = '(?P<category>.*?)' "

skender27 · ‎02-04-2016

I resolved it using only props.conf:

[my_sourcetype]
...
...
EXTRACT-my_extractions = ccti_class = \'(?<class>[\w\s]+)\'.*ccti_category = \'(?<category>[\w\s]+)\'

View solution in original post

skender27 · ‎02-04-2016

I resolved it using only props.conf:

[my_sourcetype]
...
...
EXTRACT-my_extractions = ccti_class = \'(?<class>[\w\s]+)\'.*ccti_category = \'(?<category>[\w\s]+)\'

skender27 · ‎02-04-2016

Hi,

Thanks for your comment!

I am trying, but could you suggest me the optimized regex to extract the two fields (class and category) to insert in the transforms.conf?
Here is the sample event:

ccti_class = 'Service Forniture' AND ccti_category = 'Computer science' AND ( ticket_type = 'Change Request' and ticket_impact_code = '2' ) AND ( ticket_type = 'Change Request' and ticket_urgency_code = '1' )

skender27 · ‎02-02-2016

Could it be correct this way?

transforms.conf
[class_category]
REGEX = <regex expression to extract two fields>
SOURCE_KEY = field:sys_where_clause


props.conf
[my_sourcetype]
REPORT-class_category = class_category

somesoni2 · ‎02-02-2016

That will be correct if you want to use transforms.conf. For just props.conf, see this

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextract...

How to configure props.conf for both of my search-time extractions (from another existing field)?

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?