Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex in transforms only matches parts of the data.

royhvaara
Engager
‎11-09-2011 06:48 AM

in inputs.conf:

[tcp://:9995]
connection_host = dns
sourcetype = tcp:9995
source = tcp:9995

in props.conf:

[source::tcp:9995]
TRANSFORMS = streamsourcetype, streamsource, streamrawextract

in transforms.conf:

[streamsource]
REGEX = ^source=(\S+)
DEST_KEY = MetaData:Source
FORMAT = source::$1

[streamsourcetype]
REGEX = ^source=\S+ sourcetype=(\S+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::$1

[streamrawextract]
REGEX = (?s)^[^\n]+\n(.*)
DEST_KEY = _raw
FORMAT = $1

Expected input is xml with the first line being in a special format:

source=<source> sourcetype=<sourcetype>\n
<input><entry host="example.com">1234</entry><entry host="static.example.com">95959</entry></input>

What's above is just an example. There is a lot of xmldata being fed to splunk. This is truncated at about 4030 chars when fed through streamrawextract, however it is not truncated when streamrawextract is not applied. I obviously don't want it to be truncated in the middle of the data. Right now the streamrawextract is invalidating my xml... I'm sure I'm missing some configuration setting somewhere, but I just can't seem to find out which one.

Also: it's insanely frustrating to have to restart splunk every time i make a change to props.conf or transforms.conf. Is there any way to have splunk reload the configuration without doing a restart (like a reload on most other services)?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

royhvaara
Engager
‎11-09-2011 07:00 AM

I think I should ask questions here more often. Minutes after i asked the question I found the answer to my own question. In transforms.conf i added LOOKAHEAD = 10000 under [streamrawextract]. Now it matches all of it. I decided to answer my own question and not delete it as I haven't found a lot of info about this on the interwebs. Maybe it's just obvious to other people...

If anyone knows how to fix the last part (reloading the configs without restarting splunk) feel free to shout out! 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

royhvaara
Engager
‎11-09-2011 07:00 AM

I think I should ask questions here more often. Minutes after i asked the question I found the answer to my own question. In transforms.conf i added LOOKAHEAD = 10000 under [streamrawextract]. Now it matches all of it. I decided to answer my own question and not delete it as I haven't found a lot of info about this on the interwebs. Maybe it's just obvious to other people...

If anyone knows how to fix the last part (reloading the configs without restarting splunk) feel free to shout out! 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...