https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351902#M64529 <P>I tried that as well, but it doesn't work</P> Thu, 21 Dec 2017 12:56:03 GMT edwinmae 2017-12-21T12:56:03Z https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351898#M64525 <P>Hi,</P> <P>We have a search that extracts Customer and Country correctly</P> <P>index=aaa host="<EM>Host1</EM>" sourcetype=aaa_bbb | rex field=source "C:\\DIR\(?\w*)\(?\w*)" | table source,Customer,Country</P> <P>source example = C:\DIR\CustomerX\CountryX\Web\log\2017-12-bbb.log</P> <P>--</P> <P>Now we want to use props.conf for extracting these 2 fields</P> <P>When modifying the props.conf on the Splunk server (/opt/splunk/etc/system/local/props.conf)</P> <P>[aaa_bbb]<BR /> EXTRACT-Customer,Country = C:\\DIR\(?\w*)\(?\w*) in source</P> <P>After rebooting the server the fields are not there (we tried different options, none seem to work)</P> <P>Please advise how we could extract these fields 'automatically' using props.conf</P> <P>Thanks</P> <P>/Edwin</P> Tue, 29 Sep 2020 17:19:18 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351898#M64525 edwinmae 2020-09-29T17:19:18Z https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351899#M64526 <P>Your not specifying the extracted field names</P> <P>try:<BR /> <CODE>EXTRACT-Customer,Country = C:\\\DIR\\(?&lt;customer&gt;\w*)\\(?&lt;country&gt;\w*) in source</CODE></P> Thu, 21 Dec 2017 11:57:51 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351899#M64526 nickhills 2017-12-21T11:57:51Z https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351900#M64527 <P>Hi @edwinmae</P> <P>PFA <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4027i54234CD0360759C6/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span><BR /> You can use this regex in props.conf file.</P> Thu, 21 Dec 2017 12:48:09 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351900#M64527 abhijeet01 2017-12-21T12:48:09Z https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351901#M64528 <P>Something went wrong with copying. my apologies<BR /> The normal search is working and get the source, Customer and County, but not through props.conf</P> <P>So I had the below in props.conf, but it doesn't work</P> <P>[aaa_bbb]<BR /> EXTRACT-Customer,Country = C:\\TEM\(?\w*)\(?\w*) in source</P> Tue, 29 Sep 2020 17:20:45 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351901#M64528 edwinmae 2020-09-29T17:20:45Z https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351902#M64529 <P>I tried that as well, but it doesn't work</P> Thu, 21 Dec 2017 12:56:03 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351902#M64529 edwinmae 2017-12-21T12:56:03Z https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351903#M64530 <P>oh wait ! i think there are too many \\'s </P> <P>try<BR /> <CODE>EXTRACT-Customer,Country = C:\\DIR\\(?&lt;customer&gt;\w*)\\(?&lt;country&gt;\w*) in source</CODE></P> Thu, 21 Dec 2017 13:00:52 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351903#M64530 nickhills 2017-12-21T13:00:52Z https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351904#M64531 <P>still not working for me</P> Thu, 21 Dec 2017 13:08:23 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351904#M64531 edwinmae 2017-12-21T13:08:23Z https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351905#M64532 <P>whats the stanza named?</P> Thu, 21 Dec 2017 13:10:32 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351905#M64532 nickhills 2017-12-21T13:10:32Z https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351906#M64533 <P>I just came across your other post.</P> <P>Can you confirm this is exactly what you have?</P> <PRE><CODE>[source::C:\Web\*\*\Web\log\mobile.log] EXTRACT-Customer_Country = C:\\Web\\(?&lt;customer&gt;\w*)\\(?&lt;country&gt;\w*) in source [source::C:\Web\*\*\Web\log\web.log] EXTRACT-Customer_Country = C:\\Web\\(?&lt;customer&gt;\w*)\\(?&lt;country&gt;\w*) in source </CODE></PRE> <P>I say 'exactly', because although windows is not case sensitive, Splunk on windows is!</P> Thu, 21 Dec 2017 13:49:49 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351906#M64533 nickhills 2017-12-21T13:49:49Z https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351907#M64534 <P>I have another post?</P> <P>We also tried using the props.conf from the Splunk Forwarder (on the web server)</P> <P>[source::C:\DIR......\Web\log*bbb.log]<BR /> EXTRACT-Customer,Country = C:\\DIR\(?\w*)\(?\w*) in source</P> <P>--</P> <P>The inputs.conf (on the web server) looks like this:</P> <P>[monitor://C:\DIR**\Web\log*bbb.log]<BR /> disabled = 0<BR /> ignoreOlderThan = 3d<BR /> followTail = 0<BR /> sourcetype = aaa_bbb<BR /> crcSalt = <BR /> index = aaa</P> <P>--</P> <P>The props.conf file on the Splunk server</P> <P>stanza = aaa_bbb (=sourcetype)</P> <P>[aaa_bbb]<BR /> EXTRACT-Customer,Country = C:\DIR\(?\w*)\(?\w*) in source</P> <H2>tried with \\ and \</H2> <P>Using normal search with rex works fine </P> <P>index=aaa sourcetype=aaa_bbb | rex field=source "C:\\DIR\(?\w*)\(?\w*)" | table source,Customer,Country</P> <P>--</P> <P>Unfortunately the props.conf doesn't work</P> <P>We use Splunk 7.0.0 (Server and Forwarder)</P> <P>the source = Log path is same for all Customers:<BR /> C:\DIR\Customer\Country\Web\log\2017-12-bbb-log</P> Tue, 29 Sep 2020 17:20:53 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351907#M64534 edwinmae 2020-09-29T17:20:53Z https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351908#M64535 <P>Hi @edwinmae,</P> <P>I have tried with below configuration in props.conf in splunk 7.0.1</P> <PRE><CODE>[custom_st] EXTRACT-Country,Customer = C:\\DIR\\(?&lt;Customer&gt;\w*)\\(?&lt;Country&gt;\w*) in source </CODE></PRE> <P>And it's working fine with sample data which you have provided, please find below screenshot in which Country and Customer field is extracted properly.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4031iE83854395E224480/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 21 Dec 2017 17:54:41 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351908#M64535 harsmarvania57 2017-12-21T17:54:41Z https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351909#M64536 <P>It worked <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 22 Dec 2017 05:04:09 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-fields-extraction-m-using-props-conf/m-p/351909#M64536 edwinmae 2017-12-22T05:04:09Z