All Apps and Add-ons

How to make extraction persistent and save the extracted fields if it called from rex command

royimad
Builder

I'm trying to extract fields from a source name of files, but those extraction are partially saved as a new field on Splunk. How to save those extracted source to be saved and persistent on Splunk if i login/logout.

source name example = app4_error_webservices.log
command used:
sourcetype="log4j" | rex field=source "/././(?.)_(?.)_(?.*).log"

The fields that need to be saved always are host_1, logtype , origine.
How to do that? any steps?

Thanks,
Roy

0 Karma
1 Solution

tgow
Splunk Employee
Splunk Employee

There are a couple of choices either the Web UI or editing the configuration files directly.

You can add a field extraction in the Manager-->Fields-->Field extractions-->New

Apply the field extraction to the sourcetype of log4j. Once you save this then the $SPLUNK_HOME/etc/users///local/props.conf

Now you can just edit the props.conf file and create the extraction with the following syntax. Which props.conf file you edit depends on the permissions and app context. Here is the first location that Splunk will look for the props.conf:

$SPLUNK_HOME/etc/system/local/props.conf

Create the following stanza:

[log4j]
EXTRACT-logtype = /././(?<host_1>.)_(?<logtype>.)_(?<origine>.*).log

Here are some links to more information:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime

Hope that helps.

View solution in original post

0 Karma

tgow
Splunk Employee
Splunk Employee

There are a couple of choices either the Web UI or editing the configuration files directly.

You can add a field extraction in the Manager-->Fields-->Field extractions-->New

Apply the field extraction to the sourcetype of log4j. Once you save this then the $SPLUNK_HOME/etc/users///local/props.conf

Now you can just edit the props.conf file and create the extraction with the following syntax. Which props.conf file you edit depends on the permissions and app context. Here is the first location that Splunk will look for the props.conf:

$SPLUNK_HOME/etc/system/local/props.conf

Create the following stanza:

[log4j]
EXTRACT-logtype = /././(?<host_1>.)_(?<logtype>.)_(?<origine>.*).log

Here are some links to more information:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime

Hope that helps.

View solution in original post

0 Karma

vishalgakhare
Engager

I am using Splunk Enterprise 6.0.3 and I am having the similar issue. I have created the extraction pattern through a web but don't find a way to save it and use it persistently. All I see in the prop.conf is the name of extraction and other config contains the field names that I have defined.

0 Karma

royimad
Builder

the following stanza could not work - i need to tell splunk to extract the field from the source file name.

0 Karma

royimad
Builder

I need to extract from source file name and this wouldn't work .

0 Karma