Splunk Cloud Platform

Knowledge Manager Manual

About regular expressions with field extractions

Inline and transform field extractions require regular expressions with the names of the fields that they extract.

In inline field extractions, the regular expression is in props.conf. You have one regular expression per field extraction configuration.

In transform extractions, the regular expression is separated from the field extraction configuration. The regular expression is in transforms.conf while the field extraction is in props.conf. This means that you can apply one regular expression to multiple field extraction configurations, or multiple regular expressions to one field extraction configuration.

Regular expressions

When you set up field extractions through configuration files, you must provide the regular expression. You can design them so that they extract two or more fields from the events that match them. You can test your regular expression by using the rex search command.

The capturing groups in your regular expression must identify field names that contain alpha-numeric characters or an underscore. See About Splunk regular expressions.

You can use the field extractor to generate field-extracting regular expressions. For information on the field extractor, see Build field extractions with the field extractor.

Proper field name syntax

Field names must conform to the field name syntax rules.

  • Valid characters for field names are a-z, A-Z, 0-9, . , :, and _.
  • Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise internal variables.

Splunk software applies key cleaning to fields that are extracted at search time. When key cleaning is enabled, Splunk Enterprise removes all leading underscores and 0-9 characters from extracted fields. Key cleaning is enabled by default.

You can disable key cleaning for a search-time field extraction by configuring it as an advanced REPORT- extraction type, including the setting CLEAN_KEYS=false in the referenced field transform stanza. See Create advanced search-time field extractions with field transforms.

You cannot turn off key cleaning for inline EXTRACT- (props.conf only) field extraction configurations. See Configure inline extractions with props.conf.

Last modified on 04 January, 2023
When Splunk software extracts fields   Build field extractions with the field extractor

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2203, 9.0.2205, 8.2.2202, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters