All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to make extraction persistent and save the extracted fields if it called from rex command

royimad
Builder
‎04-08-2013 05:49 AM

I'm trying to extract fields from a source name of files, but those extraction are partially saved as a new field on Splunk. How to save those extracted source to be saved and persistent on Splunk if i login/logout.

source name example = app4_error_webservices.log
command used:
sourcetype="log4j" | rex field=source "/././(?.)_(?.)_(?.*).log"

The fields that need to be saved always are host_1, logtype , origine.
How to do that? any steps?

Thanks,
Roy

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎04-08-2013 07:17 AM

There are a couple of choices either the Web UI or editing the configuration files directly.

You can add a field extraction in the Manager-->Fields-->Field extractions-->New

Apply the field extraction to the sourcetype of log4j. Once you save this then the $SPLUNK_HOME/etc/users///local/props.conf

Now you can just edit the props.conf file and create the extraction with the following syntax. Which props.conf file you edit depends on the permissions and app context. Here is the first location that Splunk will look for the props.conf:

$SPLUNK_HOME/etc/system/local/props.conf

Create the following stanza:

[log4j]
EXTRACT-logtype = /././(?<host_1>.)_(?<logtype>.)_(?<origine>.*).log

Here are some links to more information:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime

Hope that helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎04-08-2013 07:17 AM

There are a couple of choices either the Web UI or editing the configuration files directly.

You can add a field extraction in the Manager-->Fields-->Field extractions-->New

Apply the field extraction to the sourcetype of log4j. Once you save this then the $SPLUNK_HOME/etc/users///local/props.conf

Now you can just edit the props.conf file and create the extraction with the following syntax. Which props.conf file you edit depends on the permissions and app context. Here is the first location that Splunk will look for the props.conf:

$SPLUNK_HOME/etc/system/local/props.conf

Create the following stanza:

[log4j]
EXTRACT-logtype = /././(?<host_1>.)_(?<logtype>.)_(?<origine>.*).log

Here are some links to more information:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime

Hope that helps.

0 Karma
Reply
Solved! Jump to solution

vishalgakhare
Engager
‎03-07-2016 11:42 AM

I am using Splunk Enterprise 6.0.3 and I am having the similar issue. I have created the extraction pattern through a web but don't find a way to save it and use it persistently. All I see in the prop.conf is the name of extraction and other config contains the field names that I have defined.

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎04-08-2013 07:33 AM

the following stanza could not work - i need to tell splunk to extract the field from the source file name.

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎04-08-2013 07:32 AM

I need to extract from source file name and this wouldn't work .

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...