Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

rex command to regex in transforms.conf

ch_goh
Explorer
‎05-30-2014 04:29 PM

This rex statement works in search command: rex field=source "3......(?P.+?)rly"
I would like to convert it into REGEX statement in transforms.conf file.
What should be the REGEX statement?

Thanks in advanced.

0 Karma
Reply

wpreston
Motivator
‎05-31-2014 08:43 AM

I'd also suggest this page. It's a nice, easy walkthrough of using transforms.conf and props.conf for field extractions.

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎05-31-2014 08:15 AM

Assuming this is a search time extraction, you simply need to identify the field to "look" at as SOURCE_KEY (if you omit that, the default SOURCE_KEY is _raw
The regex is fine as, is. Since you are extracting a field and not asking Splunk to produce the key value pair dynamically... you specify it in the regex as you've done... and then you can, for documentation, specify the format.


[procname]
SOURCE_KEY = source
REGEX = 3......(?P.+?)rly
FORMAT = procname::$1

Be sure to call the stanza, procname, in my example from a REPORT- directive in the props.conf

The transforms.conf spec here shows a slightly different example, where the SOURCE_KEY defaults to raw and the transform is actually renaming the KEY of a KEY value pair already in the data... but it's the same principal.


[netscreen-error-field]
REGEX = device_id=[w+](?[^:]+)
FORMAT = err_code::$1

Here is a complete walk through all sorts of search time extractions using props.conf and transforms.conf for reference.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply

ch_goh
Explorer
‎06-02-2014 10:48 AM

Thanks. But Splunk doesn't pick it up. Here is what I have in props.conf and transforms.conf.

props.conf:
[source::/logs/dxserver/3*_query_*.log]
REPORT-queryLog = dsaname

transforms.conf:
[dsaname]
SOURCE_KEY = source
REGEX = 3......(?P.+?)rly
FORMAT = dsaname::$1

Example of the source field = "/logs/dxserver/3wtxq20corerly1_query_20140601.log". I expect the dsaname field equals to 'core' (without the qoute).

Any syntax or format errors?
Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...