Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About regular expressions with field extractions

Inline and transform field extractions require regular expressions with the names of the fields that they extract.

In inline field extractions, the regular expression is in props.conf. You have one regular expression per field extraction configuration.

In transform extractions, the regular expression is separated from the field extraction configuration. The regular expression is in transforms.conf while the field extraction is in props.conf. This means that you can apply one regular expression to multiple field extraction configurations, or multiple regular expressions to one field extraction configuration.

Regular expressions

When you set up field extractions through configuration files, you must provide the regular expression. You can design them so that they extract two or more fields from the events that match them. You can test your regular expression by using the rex search command.

The capturing groups in your regular expression must identify field names that contain alpha-numeric characters or an underscore.

You can use the field extractor to generate field-extracting regular expressions. For information on the field extractor, see Build field extractions with the field extractor.

Proper field name syntax

Field names must conform to the field name syntax rules.

  • Valid characters for field names are a-z, A-Z, 0-9, . , :, and _.
  • Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise internal variables.

Splunk software applies key cleaning to fields that are extracted at search time. When key cleaning is enabled, Splunk Enterprise removes all leading underscores and 0-9 characters from extracted fields. Key cleaning is enabled by default.

You can disable key cleaning for a search-time field extraction by configuring it as an advanced REPORT- extraction type, including the setting CLEAN_KEYS=false in the referenced field transform stanza. See Create advanced search-time field extractions with field transforms.

You cannot turn off key cleaning for inline EXTRACT- (props.conf only) field extraction configurations. See Configure inline extractions with props.conf.

Configure custom fields at search time
Configure inline extractions

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.6.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters