About regular expressions with field extractions
Inline and transform field extractions require regular expressions with the names of the fields that they extract.
In inline field extractions, the regular expression is in
props.conf. You have one regular expression per field extraction configuration.
In transform extractions, the regular expression is separated from the field extraction configuration. The regular expression is in
transforms.conf while the field extraction is in
props.conf. This means that you can apply one regular expression to multiple field extraction configurations, or multiple regular expressions to one field extraction configuration.
When you set up field extractions through configuration files, you must provide the regular expression. You can design them so that they extract two or more fields from the events that match them. You can test your regular expression by using the
rex search command.
The capturing groups in your regular expression must identify field names that contain alpha-numeric characters or an underscore.
Proper field name syntax
Field names must conform to the field name syntax rules.
- Valid characters for field names are a-z, A-Z, 0-9, . , :, and _.
- Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise internal variables.
Splunk software applies key cleaning to fields that are extracted at search time. When key cleaning is enabled, Splunk Enterprise removes all leading underscores and 0-9 characters from extracted fields. Key cleaning is enabled by default.
You can disable key cleaning for a search-time field extraction by configuring it as an advanced
REPORT- extraction type, including the setting
CLEAN_KEYS=false in the referenced field transform stanza. See Create advanced search-time field extractions with field transforms.
You cannot turn off key cleaning for inline
props.conf only) field extraction configurations. See Configure inline extractions with props.conf.
When Splunk software extracts fields
Build field extractions with the field extractor
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 8.2.2105, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103, 8.2.2104