props.conf $ bad character - Help Wanted

jrialto — Fri, 14 Dec 2012 14:56:07 GMT

Hi all

Hope you can help!

There is data in our Oracle audit file that we want to add to Fields. It has a Dollar sign, half way through, and it is giving me a bad character error. Here's an example of what is in the aud files:

OS$USERID: [5] "FREDYF"

Any thoughts on what I can do to make an exception and add this as a field?

I entered the following in props.conf.

[source::....aud]

EXTRACT-osuserid = OS$USERID:(?[[0-9]+] "[^"]+")

Re: props.conf $ bad character - Help Wanted

alacercogitatus — Fri, 14 Dec 2012 15:26:17 GMT

Per the documentation, the following is what is allowed:

Valid characters for field names are a-z, A-Z, 0-9, or _. Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk's internal variables. International characters are not allowed.

In your extract, you will want to do this: EXTRACT-osuserid = OS$USERID:(?<os_userid>[[0-9]+] "[^"]+")

This creates a field "os_userid" which conforms to the standard.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Use_proper_field_name_syntax

topic props.conf $ bad character - Help Wanted in Getting Data In

props.conf $ bad character - Help Wanted

Re: props.conf $ bad character - Help Wanted