Splunk Tip: Regex Extractions in Props.conf


When you create an extraction in props.conf (a search-time field), you specify the name of the new field through a named capture group in the regular expression. For example:

EXTRACT-foo =  (?P<foo>\w+)

This configuration will create a field "foo" with a value of the first word found in the _raw field. You can also specify a field besides _raw in your extraction:

EXTRACT-foo =  (?P<foo>\w+) in host

Now, the tip here is that you should always use that uppercase P, like this: ?P<foo> even though the extraction will usually work without it. Why? Well, if you try to specify the source field, as in the latter example, you'll see that it won't work. No field will be extracted.

Now go mind your P's and Q's!

Bonus: This is an interesting backstory on why that P is there in the first place.