Index-time field extraction issue

perezcla — Fri, 08 Sep 2017 09:15:05 GMT

Hello all,

I'm a bit stuck with my issue.
I do have this splunk infra :
Sources ==> UF ==> Indexer cluster (3 + master) Search head cluster.

I'm trying to extract fields at index time to transform it in a future.

My props.conf and transfroms.conf are deployed in indexers throught the master.

log line look like :
date="2017-09-08",time="08:08:00",s-ip="8.8.8.8",time-taken="8",c-ip="9.9.9.9",c-port="45687",s-action="TCP_DENIED",cs-user="foobar"

transforms.conf

[fieldtestextract]
WRITE_META = true
REGEX=cs-user="([^"]+)
FORMAT=csuser::$1

props.conf

[web:access:file]
TRANSFORMS-csuser = fieldtestextract
TZ = utc
SEDCMD-username =  s/,cs-user=\"[^\"]+\",/,cs-user="xxxx",/g

The SEDCMD is working like a charm but the tranforms won't work...
fields.conf on search heads :

[csuser]
INDEXED = true
INDEXED_VALUE = true

I don't see my field on search head and obsiously i'm not able to execute query against it.

Could you help me figuring out what's wrong with my configuration ?

Many thanks in advance.

Re: Index-time field extraction issue

perezcla — Fri, 08 Sep 2017 12:09:19 GMT

I have found my mistake... my transforms file was named transform.conf (no S ...) It 's now working 🙂

Re: Index-time field extraction issue

DalJeanis — Fri, 08 Sep 2017 14:05:30 GMT

@perezcla - thanks for posting your solution. We've moved your comment to an answer. Please accept your answer so that the question will show as closed. - dal

topic Re: Index-time field extraction issue in Splunk Search

Index-time field extraction issue

Re: Index-time field extraction issue

Re: Index-time field extraction issue