topic Re: field extraction working with rex but not props.conf in Getting Data In

field extraction working with rex but not props.conf

jdmclemore — Fri, 30 Oct 2020 16:28:30 GMT

I am trying to extract a portion of the source as a field. Here's what the source looks like:

D:\Host Logs\info.server.02.mfl

I'm trying to extract "info" from the source filename and this works perfectly as a splunk search:

search | rex field=source "D:\\\Host Logs\\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)"

But if I put this in props.conf for this sourcetype as a search-time extraction, it's not working:

EXTRACT-sourcefield = "D:\\\Host Logs\\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)" in source

I've tried multiple versions of this, taking out the extra "\", removing the quotes, etc., but cant seem to get this field to extract. A "splunk btool props list..." shows that the props.conf file is being used. It's in an app in /opt/splunk/etc/apps. This is Splunk Enterprise 8.0.4.1.

Edit: Here are all the versions I've tried so far...

EXTRACT-sourcefield = D:\x5CHost Logs\x5C(?<newfield>[\w]+).\w+.\w+.(mfl|MFL) in source EXTRACT-sourcefield = D:\\Host Logs\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL) in source EXTRACT-sourcefield = "D:\\\Host Logs\\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)" in source EXTRACT-sourcefield = "D:\\Host Logs\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)" in source

Re: field extraction working with rex but not props.conf

richgalloway — Fri, 30 Oct 2020 13:43:14 GMT

Have you tried this?

EXTRACT-sourcefield = D:\\Host Logs\\(?<newfield>[\w]+)\.\w+\.\w+\.(mfl|MFL) in source

Re: field extraction working with rex but not props.conf

amiftah_splunk — Fri, 30 Oct 2020 15:37:47 GMT

Or you can try:

EXTRACT-sourcefield = D:\x5CHost Logs\x5C(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)

Re: field extraction working with rex but not props.conf

jdmclemore — Fri, 30 Oct 2020 16:15:54 GMT

Thanks @richgalloway - yes I've tried that in props, but no extraction.

Re: field extraction working with rex but not props.conf

jdmclemore — Fri, 30 Oct 2020 16:19:38 GMT

Thanks @amiftah_splunk - unfortunately, this isn't working either.

Re: field extraction working with rex but not props.conf

amiftah_splunk — Fri, 30 Oct 2020 16:26:27 GMT

Are you extracting from a field?

You may need to use transforms:

transforms.conf:

[example]

SOURCE_KEY = source

REGEX = <your_regex>

props.conf:

REPORT-example = example

Re: field extraction working with rex but not props.conf

jdmclemore — Fri, 30 Oct 2020 16:39:15 GMT

Yes, extracting from the source field. I haven't tried going the REPORT route and using transforms.conf because its a simple inline extraction that shouldnt require transforms, per the documentation. Maybe worth giving it a shot though.

Re: field extraction working with rex but not props.conf

jdmclemore — Mon, 02 Nov 2020 21:03:25 GMT

Tried using REPORT and transforms, but still no good extraction...