About regular expressions with field extractions
Inline and transform field extractions require regular expressions with the names of the fields that they extract.
In inline field extractions, the regular expression is in props.conf
. You have one regular expression per field extraction configuration.
In transform extractions, the regular expression is separated from the field extraction configuration. The regular expression is in transforms.conf
while the field extraction is in props.conf
. This means that you can apply one regular expression to multiple field extraction configurations, or multiple regular expressions to one field extraction configuration.
Regular expressions
When you set up field extractions through configuration files, you must provide the regular expression. You can design them so that they extract two or more fields from the events that match them. You can test your regular expression by using the rex
search command.
The capturing groups in your regular expression must identify field names that contain alpha-numeric characters or an underscore. See About Splunk regular expressions.
You can use the field extractor to generate field-extracting regular expressions. For information on the field extractor, see Build field extractions with the field extractor.
Proper field name syntax
Field names must conform to the field name syntax rules.
- Valid characters for field names are a-z, A-Z, 0-9, . , :, and _.
- Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise internal variables.
Splunk software applies key cleaning to fields that are extracted at search time. When key cleaning is enabled, Splunk Enterprise removes all leading underscores and 0-9 characters from extracted fields. Key cleaning is enabled by default.
You can disable key cleaning for a search-time field extraction by configuring it as an advanced REPORT-
extraction type, including the setting CLEAN_KEYS=false
in the referenced field transform stanza. See Create advanced search-time field extractions with field transforms.
You cannot turn off key cleaning for inline EXTRACT-
(props.conf
only) field extraction configurations. See Configure inline extractions with props.conf.
When Splunk software extracts fields | Build field extractions with the field extractor |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!