Solved: How to make extraction persistent and save the ext...

royimad · ‎04-08-2013

I'm trying to extract fields from a source name of files, but those extraction are partially saved as a new field on Splunk. How to save those extracted source to be saved and persistent on Splunk if i login/logout.

source name example = app4_error_webservices.log
command used:
sourcetype="log4j" | rex field=source "/././(?.)_(?.)_(?.*).log"

The fields that need to be saved always are host_1, logtype , origine.
How to do that? any steps?

Thanks,
Roy

tgow · ‎04-08-2013

There are a couple of choices either the Web UI or editing the configuration files directly.

You can add a field extraction in the Manager-->Fields-->Field extractions-->New

Apply the field extraction to the sourcetype of log4j. Once you save this then the $SPLUNK_HOME/etc/users///local/props.conf

Now you can just edit the props.conf file and create the extraction with the following syntax. Which props.conf file you edit depends on the permissions and app context. Here is the first location that Splunk will look for the props.conf:

$SPLUNK_HOME/etc/system/local/props.conf

Create the following stanza:

[log4j]
EXTRACT-logtype = /././(?<host_1>.)_(?<logtype>.)_(?<origine>.*).log

Here are some links to more information:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime

Hope that helps.

View solution in original post

tgow · ‎04-08-2013

There are a couple of choices either the Web UI or editing the configuration files directly.

You can add a field extraction in the Manager-->Fields-->Field extractions-->New

Apply the field extraction to the sourcetype of log4j. Once you save this then the $SPLUNK_HOME/etc/users///local/props.conf

Now you can just edit the props.conf file and create the extraction with the following syntax. Which props.conf file you edit depends on the permissions and app context. Here is the first location that Splunk will look for the props.conf:

$SPLUNK_HOME/etc/system/local/props.conf

Create the following stanza:

[log4j]
EXTRACT-logtype = /././(?<host_1>.)_(?<logtype>.)_(?<origine>.*).log

Here are some links to more information:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime

Hope that helps.

vishalgakhare · ‎03-07-2016

I am using Splunk Enterprise 6.0.3 and I am having the similar issue. I have created the extraction pattern through a web but don't find a way to save it and use it persistently. All I see in the prop.conf is the name of extraction and other config contains the field names that I have defined.

royimad · ‎04-08-2013

the following stanza could not work - i need to tell splunk to extract the field from the source file name.

royimad · ‎04-08-2013

I need to extract from source file name and this wouldn't work .

How to make extraction persistent and save the extracted fields if it called from rex command

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation