Refine your search:

cant concatenate indexed data

0

concatenating fields at index time doesn't seem to work. I have the following transform:

[gztdnv]
REGEX = <td>\s+(\S+)\s+(\S+)
FORMAT = td_nv::$1.$2
MV_ADD = true

the data looks like:

"<td> BW  400"

I would expect to see a value for td_nv of BW400 after the search. However, the transform remains in its unprocessed state indicating that td_nv is simply "$1.$2". If I just use $1 or $2 it is evaluated correctly with that piece.

This is described in the splunk docs section under "create custom fields at index time". Any ideas?

asked 30 Nov '11, 16:49

cwi's gravatar image

cwi
211
accept rate: 0%

edited 12 Mar '12, 21:23

lguinn's gravatar image

lguinn ♦
11.0k5723

Is this transform referred to in props.conf using the EXTRACT directive or TRANSFORMS directive? Could you paste the props.conf section?

(30 Nov '11, 23:57) Ayn
4 Answers:
oldestnewestmost voted
0

There might be a couple of issues here but try this and let me know if it works:

[gztdnv]
REGEX = \<td\>\s+(\S+)\s+(\S+)
FORMAT = $1::$2
MV_ADD = true

The "<" and ">" have to be escaped with a backslash "". Also if you are creating a grouping in the REGEX then the FORMAT has to be "$1::$2".

Here is a link to more information:

http://docs.splunk.com/Documentation/Splunk/4.2.4/Data/Configureindex-timefieldextraction

link

answered 01 Dec '11, 07:15

tgow's gravatar image

tgow
1.1k4317
accept rate: 17%

< and > do not need to be escaped.

(01 Dec '11, 12:22) Ayn
0

Tried it with both FORMAT suggestions with no change so far. The props.conf entry is below. FYI, all the other extracts and reports pieces work.

Thx.

[MyLogs] TRUNCATE = 0 LINE_BREAKER = (?!) BREAK_ONLY_BEFORE = ^<segname> TIME_PREFIX = ^<start>s+ EXTRACT-segName = ^<segname> (?<segname>[^n]+) EXTRACT-testName = ^<testname> (?<testname>[^n]+) EXTRACT-testExec = ^<testexec> (?<testexec>[^n]+) EXTRACT-npes = ^<npes> (?<npes>[^n]+) EXTRACT-JobID = ^<jobid> (?<jobid>[^n]+) EXTRACT-compiler = ^<compiler> (?<compiler>[^n]+) EXTRACT-params = ^<params> (?<params>[^n]+) EXTRACT-rmgr = ^<rmgr> (?<rmgr>[^n]+) EXTRACT-user = ^<user> (?<user>[^n]+) EXTRACT-vers = ^<vers> (?<vers>[^n]+) EXTRACT-start = ^<start> (?<start>[^n]+) EXTRACT-end = ^<end> (?<end>[^n]+) EXTRACT-results = ^s*<results?>s+(?<results>[^n]+) EXTRACT-nodes = ^<nodes> (?<nodes>[^n]+) EXTRACT-real = ^reals+(?<runtime>[^n]+) REPORT-gztd = gztd REPORT-gztdnv = gztdnv REPORT-gzresults = gzresults

link

answered 01 Dec '11, 08:18

cwi's gravatar image

cwi
211
accept rate: 0%

0

You're using REPORT instead of TRANSFORMS for the fields you are trying to concatenate. REPORT is a definition for a search-time extraction, not an index-time extraction. You need to use TRANSFORMS if you want to concatenate values, as this is not supported for search-time extractions.

link

answered 01 Dec '11, 12:21

Ayn's gravatar image

Ayn
25.1k3717
accept rate: 41%

0

no luck so far... here are the three key files. Restarted splunk and no td_nv field even appears....

transforms.conf :

[gztdnv] REGEX = s+(S+)s+(S+)s+(S+) FORMAT = td_nv::"$1.$2" WRITE_META = true

props.conf :

[mylogs] TRANSFORMS-gztdnv = gztdnv

fields.conf:

[td_nv] INDEXED=true

link

answered 01 Dec '11, 13:45

cwi's gravatar image

cwi
211
accept rate: 0%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×5
×3

Asked: 30 Nov '11, 16:49

Seen: 606 times

Last updated: 12 Mar '12, 21:23

Related questions

Concatenate fields into a single string

searching multiple sources and concatenating results to one row per event

Loop through XML Child Elements and Concatenate

Concatenate fields into string on form

How to seach using a concatenated string

Script Indexed

Using OR with rex commands or combining search results

files not being indexed

How do I concatenate two fields into a string?

Copyright © 2005-2012 Splunk Inc. All rights reserved.