These examples present transform field extraction use cases that require you to configure one or more field transform stanzas in transforms.conf and then reference them in a props.conf field extraction stanza.
Configure a field extraction that uses multiple field transforms
You can create transforms that pull field name/value pairs from events, and you can create a field extraction that references two or more field transforms.
Scenario
You have logs that contain multiple field name/field value pairs. While the fields vary from event to event, the pairs always appear in one of two formats.
The logs often come in this format:
[fieldName1=fieldValue1] [fieldName2=fieldValue2]
However, sometimes they are more complicated, logging multiple name/value pairs as a list where the format looks like:
[headerName=fieldName1] [headerValue=fieldValue1], [headerName=fieldName2] [headerValue=fieldValue2]
The list items are separated by commas, and each fieldName is matched with a corresponding fieldValue. In this scenario, you want to pull out the field names and values so that the search results are
fieldName1=fieldValue1fieldName2=fieldValue2
Here's an example of an HTTP request event that combines both of the above formats.
[method=GET] [IP=10.1.1.1] [headerName=Host] [headerValue=www.example.com], [headerName=User-Agent] [headerValue=Mozilla], [headerName=Connection] [headerValue=close] [byteCount=255]
You want to develop a single field extraction that would pull the following field/value pairs from that event.
method=GETIP=10.1.1.1Host=www.example.comUser-Agent=MozillaConnection=closebyteCount=255
Solution
You want to design two different regular expressions that are optimized for each format. One regular expression will identify events with the first format and pull out all of the matching field/value pairs. The other regular expression will identify events with the other format and pull out those field/value pairs.
Create two unique transforms in transforms.conf--one for each regex--and then connect them in the corresponding field extraction stanza in props.conf.
Steps
- The first transform you add to
transforms.confcatches the fairly conventional[fieldName1=fieldValue1] [fieldName2=fieldValue2]case.[myplaintransform]REGEX=\[(?!(?:headerName|headerValue))([^\s\=]+)\=([^\]]+)\]FORMAT=$1::$2
- The second transform added to
transforms.confcatches the slightly more complex[headerName=fieldName1] [headerValue=fieldValue1], [headerName=fieldName2] [headerValue=fieldValue2]case:Both transforms use the[mytransform]REGEX=\[headerName\=([^\]]+)\]\s\[headerValue=([^\]]+)\]FORMAT=$1::$2
<fieldName>::<fieldValue>FORMATto match each field name in the event with its corresponding value. This setting inFORMATenables Splunk Enterprise to keep matching the regular expression against a matching event until every matching field/value combination is extracted. - This field extraction stanza, created in
props.conf, references both of the field transforms:[mysourcetype]KV_MODE=noneREPORT-a=mytransform, myplaintransform
Besides using multiple field transforms, the field extraction stanza also sets KV_MODE=none. This disables automatic key-value field extraction for the identified source type while letting your manually defined extractions continue. This ensures that these new regular expressions are not overridden by automatic field extraction, and it also helps increase your search performance.
For more information on automatic key-value field extraction, see Automatic key-value field extraction for search-time data.
Configure delimiter-based field extractions
You can use the DELIMS attribute in field transforms to configure field extractions for events where field values or field/value pairs are separated by delimiters such as commas, colons, tab spaces, and more.
You have a recurring multiline event where a different field/value pair sits on a separate line, and each pair is separated by a colon followed by a tab space. Here's a sample event:
ComponentId: Application ServerProcessId: 5316ThreadId: 00000000ThreadName: P=901265:O=0:CTSourceId: com.ibm.ws.runtime.WsServerImplClassName: MethodName: Manufacturer: IBMProduct: WebSphereVersion: Platform 7.0.0.7 [BASE 7.0.0.7 cf070942.55]ServerName: sfeserv36Node01Cell\sfeserv36Node01\server1TimeStamp: 2010-04-27 09:15:57.671000000UnitOfWork: Severity: 3Category: AUDITPrimaryMessage: WSVR0001I: Server server1 open for e-businessExtendedMessage:
Steps
- Configure the following stanza in
transforms.conf:This states that the field/value pairs in the event are on separate lines ([activity_report]DELIMS="\n", ":\t"
"\n"), and then specifies that the field name and field value on each line is separated by a colon and tab space (":\t"). - Rewrite the
props.confstanza above as:[activitylog]LINE_BREAKER=[-]{8,}([\r\n]+)SHOULD_LINEMERGE=falseREPORT-activity=activity_report
These two brief configurations will extract the same set of fields as before, but they leave less room for error and are more flexible.
Handling events with multivalue fields
You can use the MV_ADD attribute to extract fields in situations where the same field is used more than once in an event, but has a different value each time. Ordinarily, Splunk Enterprise only extracts the first occurrence of a field in an event; every subsequent occurrence is discarded. But when MV_ADD is set to true in transforms.conf, Splunk Enterprise treats the field like a multivalue field and extracts each unique field/value pair in the event.
Example
You have a set of events.
event1.epochtime=1282182111 type=type1 value=value1 type=type3 value=value3event2.epochtime=1282182111 type=type2 value=value4 type=type3 value=value5 type=type4 value=value6
The type and value fields are repeated several times in each event. In order to have search type=type3 return both events or to run a count(type) report on the two events that returns 5, create a custom multivalue extraction of the type field for these events.
StepsSet up your transforms.conf and props.conf files to configure multivalue extraction.
- In
transforms.conf, add the following.[mv-type]REGEX=type=(?<type>\s+)MV_ADD=true
- In
props.conffor your sourcetype or source, set the following.REPORT-type=mv-type
Last modified on 02 December, 2023
| Example inline field extraction configurations | Configure extractions of multivalue fields with fields.conf |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.9, 8.0.10, 7.0.1, 8.0.8, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 8.1.0, 8.1.1, 8.1.10
