topic Re: How to make extraction persistent and save the extracted fields if it called from rex command in All Apps and Add-ons

How to make extraction persistent and save the extracted fields if it called from rex command

royimad — Mon, 28 Sep 2020 13:41:36 GMT

I'm trying to extract fields from a source name of files, but those extraction are partially saved as a new field on Splunk. How to save those extracted source to be saved and persistent on Splunk if i login/logout.

source name example = app4_error_webservices.log
command used:
sourcetype="log4j" | rex field=source "/././(?.)_(?.)_(?.*).log"

The fields that need to be saved always are host_1, logtype , origine.
How to do that? any steps?

Thanks,
Roy

Re: How to make extraction persistent and save the extracted fields if it called from rex command

tgow — Mon, 28 Sep 2020 13:41:41 GMT

There are a couple of choices either the Web UI or editing the configuration files directly.

You can add a field extraction in the Manager-->Fields-->Field extractions-->New

Apply the field extraction to the sourcetype of log4j. Once you save this then the $SPLUNK_HOME/etc/users///local/props.conf

Now you can just edit the props.conf file and create the extraction with the following syntax. Which props.conf file you edit depends on the permissions and app context. Here is the first location that Splunk will look for the props.conf:

$SPLUNK_HOME/etc/system/local/props.conf

Create the following stanza:

[log4j]
EXTRACT-logtype = /././(?<host_1>.)_(?<logtype>.)_(?<origine>.*).log

Here are some links to more information:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime

Hope that helps.

Re: How to make extraction persistent and save the extracted fields if it called from rex command

royimad — Mon, 08 Apr 2013 14:32:06 GMT

I need to extract from source file name and this wouldn't work .

Re: How to make extraction persistent and save the extracted fields if it called from rex command

royimad — Mon, 08 Apr 2013 14:33:05 GMT

the following stanza could not work - i need to tell splunk to extract the field from the source file name.

Re: How to make extraction persistent and save the extracted fields if it called from rex command

vishalgakhare — Mon, 07 Mar 2016 19:42:49 GMT

I am using Splunk Enterprise 6.0.3 and I am having the similar issue. I have created the extraction pattern through a web but don't find a way to save it and use it persistently. All I see in the prop.conf is the name of extraction and other config contains the field names that I have defined.