It seems that there is no way to extract fields with a . in the name.
I'm trying to use field extractors on our older data to create fields matching the newer data JSON fields.
{ "pirate": { "say ": "Shiver me timbers" } }
pirate.say = "Shiver me timbers"
To test this you can to do is something like this:
| metadata type=hosts index=_internal
| head 1
| eval message="Shiver me timbers, goes the pirate"
| table message
| rex field=message "(?<pirate.say>[^,]+)"
But all I get for my efforts is the same error message in both the 'rex' prototype described above and 'Field extractions' page.
From the 'rex' prototype I get:
Error in 'rex' command: Encountered the following error while compiling the regex '(?[^,]+)': Regex: syntax error in subpattern name (missing terminator)
From the 'Fields » Field extractions » Add new' I get:
Encountered the following error while trying to save: Regex: syntax error in subpattern name (missing terminator)
Any thoughts on how I can solve this one?
There are several different things going on here.
First, No, you cannot create a regex with a dot in the field name being extracted. (tested over at regex101.com, and it doesn't work.)
When extracted from a JSON, splunk can create fields that have a dot in them, signifying the hierarchy of the JSON.
On the other hand, when auto extracting from normal data, splunk will normally replace invalid characters with underscores.
To extract a JSON, normally you use the spath command.
To pull out a regex, just give it a valid name and then rename to contain the dot.
| makeresults
| eval message="Shiver me timbers, goes the pirate"
| table message
| rex field=message "(?<piratesays>[^,]+)"
| rename piratesays as "pirate.say"
I've forgotten whether you need single or double quotes for the odd name, so if that doesn't work, try this.
| rename piratesays as 'pirate.say'