help to use EXTRACT in props.conf

avoelk — Wed, 11 Nov 2020 10:54:04 GMT

I've been trying to extract fields from a log at search time with only the help of props.conf. in the spunk docu I read that EXTRACT would be good in that case, especially cause I try to extract multiple fields at once.

this is my EXTRACT in props.conf so far:

EXTRACT-fields = (?P<src_ip>\d*\.\d*\.\d*\.\d*)(?=\ \d* TCP_)\s(?P<bits>\d*)\s(?P<tcp_state>\w*_\w*)\s

this would go on for a while with different fields but it doesn't work. what do I do wrong?

this is how the log looks like for example:

2014-03-27 12:39:32 20 10.71.15.207 304 TCP_HIT 367 1470 GET http www.computerworld.com 80 /elqNow/elqFCS.js - - - - 23.196.74.53 application/x-javascript http://www.computerworld.com/s/article/9247206/Gameover_malware_takes_aim_at_Monster.com_and_CareerBuilder.com "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" OBSERVED "Technology/Internet" - 163.252.254.201 23.44.202.53 52809

Thanks a lot for any help!

Re: help to use EXTRACT in props.conf

avoelk — Wed, 11 Nov 2020 11:08:07 GMT

yeah well I guess I have the solution again... *facepalm*.

I've made an field extraction via splunk gui - settings - fields - field extraction and looked at the output. there it said the name of the extraction was

EXTRACT-src_ip,bits,tcp_state

so using this in my props.conf instead of only -fields made it work.... gosh.

hope this helps anyone who comes across this little problem.

topic Re: help to use EXTRACT in props.conf in Splunk Search

help to use EXTRACT in props.conf

Re: help to use EXTRACT in props.conf